Security News > 2023 > May > Unpaid open source maintainers struggle with increased security demands
"Since almost all organizations rely heavily on open source in their applications, this new data demonstrates the increasing need to compensate and support the maintainers responsible for the health and security of the critical open source components we all depend on," said Donald Fischer, CEO, Tidelift.
"Maintainers are being held accountable for keeping their projects secure and adhering to new standards, but are often not being recognized or paid for the additional work they are being asked to do. By addressing this inconsistency, we can ensure maintainers will continue their important work improving the security and long-term resilience of the open source software supply chain powering government and industry," Fischer continued.
60% of maintainers describe themselves as unpaid hobbyists, while only 13% describe themselves as professional maintainers earning most or all of their income from maintaining projects.
81% of professional maintainers spend more than 20 hours per week maintaining their projects, compared to 27% of semi-professional maintainers, and only 7% of unpaid hobbyist maintainers.
Paid maintainers do more security and maintenance work than unpaid maintainers.
The gaps between unpaid and paid maintainers on some important security and maintenance practices are substantial, led by formal backwards compatibility policy, defined dependency management process, reproducible and verifiable build processes, security disclosure plan and providing fixes and recommendations for vulnerabilities.
News URL
https://www.helpnetsecurity.com/2023/05/04/open-source-maintainers-security-demands/
Related news
- Osmedeus: Open-source workflow engine for offensive security (source)
- Am I Isolated: Open-source container security benchmark (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)
- Debunking myths about open-source security (source)
- AxoSyslog: Open-source scalable security data processor (source)
- Vanir: Open-source security patch validation for Android (source)