Open Source: Paid Maintainers Keep Code Safer, Survey Says

It’s no surprise that most open source software project maintainers aren’t paid for their work. But the latest report from Tidelift indicates that not paying people to maintain open source code also means that those projects are less secure.

Sixty percent of open source maintainers surveyed by Tidelift said they aren’t paid for their work. The study of more than 400 maintainers also found that they’re significantly less likely than their compensated peers to implement critical security and maintenance practices.

In fact, the survey, released Tuesday, found that paid maintainers were an average of 55% more likely to implement the practices covered by the report than volunteers were.

Maintainers Feel Unappreciated

Nearly all applications contain some open source code. But the percentage of open source maintainers who are unpaid for their work is roughly the same as it was in 2023’s Tidelift report.

Of the 60% of respondents who said they are unpaid, almost three-quarters said they would like to receive financial compensation for their work on open source projects.

Of those who are being paid, 47% are being paid by donation programs; 45% say they are paid as part of their salary because open source work is part of their day job. Overall, 19% of project maintainers said they received income from Tidelift.

Shares of the survey pool in the low single digits reported receiving money from other sources, including companies that were not their chief employer and open source foundations.

Half of all maintainers said they aren’t being paid enough for the work they do. Nearly as many — 48% — reported feeling unappreciated.

Sixty percent of all maintainers said they have quit or considered quitting their projects.

Increased Security Demands

Some good news from the report: Fewer maintainers than in the 2023 report said they are unaware of security initiatives like the Open Source Security Foundation (OpenSSF) Scorecard and the Supply-chain Levels for Software Artifacts (SLSA) framework.

Only 40% of Tidelift survey participants said they were unaware of these and other security initiatives, compared with 52% who said the same in 2023’s report.

Maintainers say they spend 11% of their time on security work, up from 4% in 2021’s report. They reported increased vigilance in the wake of the xz utils episode, when a backdoor was discovered in March, in the Linux xz compression library.

Since that incident:

• 66% of maintainers surveyed said they are less trusting of pull requests from non-maintainers of their project.
• 37% said they are less trusting of the contributions made to their project by their co-maintainers.

The emergence of generative AI-based coding tools is viewed as a potential threat to the work of open source, according to the maintainers surveyed:

• 45% of maintainers predict the tools will have a somewhat or extremely negative impact on their work.
• 64% said they would be less likely to review and accept project contributions that they knew were created with AI-based tools.

Lawrence E. Hecht, research director at The New Stack, consulted on Tidelift's survey.