It's Not Enough to Just Hope for Secure Open Source Software
September 30, 2024

Lauren Hanford
Tidelift

If you are like many developers, your work relies heavily on open source code. But do you ever stop to consider where this code comes from and what motivates the people who write it to keep it maintained and secure? We recently surveyed over 400 open source maintainers to learn more about their work, including how they fund it and what kinds of security and maintenance practices they have in place. Here are a few of the most critical findings we uncovered that impact development teams relying heavily on open source.

60% of maintainers are not paid for their work

Would it surprise you to find out that the majority of open source packages are maintained by completely unpaid hobbyist volunteers?

And that very few packages are maintained by full-time paid professional maintainers?


Unfortunately volunteer maintainers are the norm and not the exception today. Our study found that 60% of maintainers describe themselves as unpaid hobbyists while only 12% are professional maintainers, who earn most of their income from maintaining their projects. Another 24% of maintainers identify as semi-professional maintainers and earn some of their income from maintaining projects.

Meanwhile, maintainers who get paid more are also able to devote more time to maintaining their open source projects. We asked maintainers how much time they spend on their maintenance work, then cut the data into three categories: professional maintainers, semi-professional maintainers, and unpaid hobbyists.


For professional maintainers, 82% are able to devote more than 20 hours per week to their maintenance work. Conversely only 8% of unpaid hobbyists devote more than 20 hours per week, and the vast majority (78%) devote 10 hours per week or less.

Question to address within your team: what is our strategy to replace deeply nested open source projects if the maintainer isn't able to devote enough time to keeping it secure and well maintained due to time and financial constraints?

Paid maintainers implement more critical security and maintenance practices than unpaid maintainers

So what is the impact of having so many maintainers as unpaid hobbyist volunteers?

It means that they can't afford to make the time to do the same security and maintenance work that paid maintainers can do — and they often don't.

We asked maintainers to tell us if they had implemented 16 important security and maintenance practices for their projects. Paid maintainers are on average 55% more likely to have implemented these critical practices than unpaid maintainers.

When it comes to key practices, like having a security disclosure plan, having signed releases and artifact provenance, and fixes and recommendations for vulnerabilities, paid maintainers were significantly more likely to have implemented the practices than unpaid maintainers, as you see in the chart included here.


Questions to address within your team: how much do you know about the security and maintenance practices followed by the maintainers of the open source projects you rely on most? Which of these practices would you expect to be in place for the code you write yourselves?

Maintainers are underpaid, underappreciated and stressed out

Each year in our survey, we ask maintainers to tell us what they dislike most about their work. The answers stay remarkably consistent. The number 1 thing maintainers dislike is that they are not financially compensated enough or at all for their work, with exactly half of maintainers choosing this reply. Slightly less than half of maintainers (48%) report that they feel underappreciated or like the work is thankless. And 43% of maintainers say the work adds to their personal stress. Meanwhile 39% of maintainers dislike that they are asked to comply with requirements they don't have the time for and the same percentage think that users are too demanding and expect too much of them.

Maintainers had a lot to say on this subject. As one open source maintainer told us, "the entitlement of the open source community is off the charts." Another maintainer observed that "most users, even ones who require fixes, are not willing to roll up their sleeves to help. They just expect someone else to fix it for free."

Against this backdrop it may come as no surprise that 60% of maintainers have either quit or considered quitting their maintenance work.


Questions to address within your team: do we know which packages we rely on have been or are at risk of being abandoned or declared end of life? What is our strategy if we need to rip and replace up to 60% of our open source? Are we prepared to fork and maintain it ourselves?

How can you contribute to the health and security of the open source software your organization depends on?

It does not require a PhD in economics to understand that when people are paid, they will do more than when they are not paid, and that the more you pay them, the more they are willing to do. But this year's survey gives us a few different lenses through which to explore the improvements organizations can expect to see when they prioritize paying the maintainers of the projects they use. If having healthy, well-maintained, and secure open source dependencies is a priority for your organization, ensuring your maintainers themselves are financially healthy and well-maintained should be a priority, too.

Lauren Hanford is VP of Product at Tidelift
Share this

Industry News

April 03, 2025

StackGen has partnered with Google Cloud Platform (GCP) to bring its platform to the Google Cloud Marketplace.

April 03, 2025

Tricentis announced its spring release of new cloud capabilities for the company’s AI-powered, model-based test automation solution, Tricentis Tosca.

April 03, 2025

Lucid Software has acquired airfocus, an AI-powered product management and roadmapping platform designed to help teams prioritize and build the right products faster.

April 03, 2025

AutonomyAI announced its launch from stealth with $4 million in pre-seed funding.

April 02, 2025

Kong announced the launch of the latest version of Kong AI Gateway, which introduces new features to provide the AI security and governance guardrails needed to make GenAI and Agentic AI production-ready.

April 02, 2025

Traefik Labs announced significant enhancements to its AI Gateway platform along with new developer tools designed to streamline enterprise AI adoption and API development.

April 02, 2025

Zencoder released its next-generation AI coding and unit testing agents, designed to accelerate software development for professional engineers.

April 02, 2025

Windsurf (formerly Codeium) and Netlify announced a new technology partnership that brings seamless, one-click deployment directly into the developer's integrated development environment (IDE.)

April 02, 2025

Opsera raised $20M in Series B funding.

April 02, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, is making significant updates to its certification offerings.

April 01, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the Golden Kubestronaut program, a distinguished recognition for professionals who have demonstrated the highest level of expertise in Kubernetes, cloud native technologies, and Linux administration.

April 01, 2025

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade internal developer portal based on the Backstage project.

April 01, 2025

Platform9 announced that Private Cloud Director Community Edition is generally available.

March 31, 2025

Sonatype expanded support for software development in Rust via the Cargo registry to the entire Sonatype product suite.

March 31, 2025

CloudBolt Software announced its acquisition of StormForge, a provider of machine learning-powered Kubernetes resource optimization.