Open-source developers primarily view their work as a pastime, despite vows of financial support
In a recent report by Hornetsecurity, it was revealed that more than 60% of open source maintainers describe themselves as unpaid hobbyists. This statistic underscores the challenges faced by the open source community, particularly in terms of securing the software supply chain.
The Log4j vulnerability, a significant security flaw that affected numerous applications globally, highlighted this equity crisis. The lack of compensation for open source maintainers poses a significant challenge in ensuring the security of software components used in modern commercial applications.
According to the report, between 70% to 90% of modern commercial software includes open source components. This widespread use of open source software, particularly by federal agencies and enterprise users, creates a need for these components to meet higher security standards. However, the report suggests that without the ability to properly compensate maintainers, it remains extremely difficult to screen applications for vulnerabilities.
The Log4j vulnerability underscores the need for proper compensation for open source maintainers. Tidelift CEO Donald Fischer suggests providing maintainers with income, process support, and assistance to apply secure development standards to their projects. This would not only help in bolstering security but also attract more professionals to the field.
The national cybersecurity strategy, a comprehensive roadmap to build a more resilient technology infrastructure across the U.S., aims to address these issues. Released two months ago, the strategy aims to protect millions of consumers and critical industries from malicious hackers and other threats to data security. The strategy also underscores the importance of the software supply chain in achieving this goal.
The report, released two months following the release of the national cybersecurity strategy, further emphasises the gap between the use of open source software by government and private industry and the lack of compensation for the workforce behind those projects. Wealthy stakeholders from Silicon Valley profit billions off open source developers but have not invested sufficiently to compensate them.
About 23% of the surveyed maintainers call themselves semi-professional, deriving some of their earnings from maintaining projects. However, only 13% of the 300 maintainers surveyed consider themselves professional maintainers who derive most of their income from open source project work.
The Log4j vulnerability underscores the importance of the national cybersecurity strategy's goals in building a more resilient technology infrastructure. As the reliance on open source software continues to grow, it is crucial that the maintainers who develop and maintain these components are adequately compensated and supported to ensure the security of our digital world.
Read also:
- Development of Restaurant Apps: Expenses and Essential Elements
- Time is of the essence
- European transportation's sustainability and competitiveness rely on a "green industrial agreement" that serves the interests of both corporations and residents, as discussed in an Editorial from August 2024.
- Indian Oil Corporation's Panipat Refinery secures India's inaugural ISCC CORSIA accreditation for Sustainable Aviation Fuel production
