Introducing the 2024 Tidelift maintainer impact report

Today I’m excited to share our 2024 Tidelift maintainer impact report.

We release a new maintainer impact report annually to shine a light on the most current and compelling evidence of the positive impact that organizations can expect to achieve—outcomes that reduce organizational risk and improve operational efficiency—when they invest directly in their open source software supply chain by paying maintainers.

In last year’s maintainer impact report, we highlighted the results of a project where we invested in a cohort of maintainers specifically to complete a set of defined tasks that would improve the project’s OpenSSF Scorecard scores. The results clearly showed that Scorecard scores will improve dramatically when maintainers are paid to implement security practices, resulting in more secure upstream open source software.

Case story: the business impact of paying open source maintainers to scale real world application security

For this year’s report, we wanted to connect secure upstream open source software with meaningful customer outcomes. To do this, we are featuring a case story of how one Tidelift customer improved the security and resilience of an important Python application used to analyze and forecast commercial pricing in a competitive, highly regulated industry. We wanted to see how they were able to improve the application’s security and resilience over a two-year period with help from Tidelift and our open source maintainer partners.

I’ll preview the bottom line results here: This customer is able to set accurate pricing, drive profitability, and improve their margins because their developers have been able to reduce the organization’s reliance on abandoned, end-of-life, or otherwise insecure open source packages that are costing them time and money. Specifically, they:

• Saved $1.1 million of organizational time across engineering, legal, and security that would have been spent on requirements research and engineering implementation time
• Reduced application risk by turning 37% of this customer’s independently maintained packages from an “unknown future” to reliably secured and maintained, with a plan in place to grow that percentage to 58% in 2025 and 80% in 2026

As this chart above shows, Tidelift has helped reduce the potential costs to the business arising from the reliance on abandoned, end-of-life, or otherwise insecure open source packages already in this one application. With plans to continue improving contractual security and maintenance coverage over the next two years, the organization can expect to significantly reduce costs related to unplanned work and emergency fire drills that suck time away from other important business priorities. 

All of this return is in addition to the organization’s ability to continue to take advantage of the increased business velocity that open source provides.

Additional evidence: How paying maintainers improves project security and resilience

For part 2 of the report, we gathered the most recent evidence of maintainer impact on improving security and operational efficiency outcomes from several additional sources. First, we recap some highlights from our 2024 Tidelift state of the open source maintainer report where maintainers reported first hand what kinds of security practices they are able to implement when they are paid for their work. We also brought in supporting data from other sources, like the Sonatype State of the Software Supply Chain report and the Atlantic Council report O$$ Security: Does More Money for Open Source Software Mean Better Security?

Why should your organization care about paying maintainers to increase their impact?

As open source continues to become more ubiquitous each year in enterprise applications, the risks organizations using open source are expected to manage also grow. High profile security vulnerabilities impacting open source, headlined by the Log4Shell and xz utils incidents, have made open source software security a critical board-level issue in many organizations, potentially impacting revenue, data, and customers. 

Governments around the world are stepping up efforts to improve cybersecurity and reduce risk to consumer data and national security. Efforts like the Cyber Resilience Act (CRA) and Product Liability Directive (PLD) in the EU and the National Cybersecurity Strategy and White House Executive Order 14028 on Improving the Nation’s Cybersecurity in the United States place new responsibilities on organizations building software applications to ensure their products are secure, and codify paths to pursue damages if they are not.

Open source code downloaded from the internet is being provided “as is,” which means the user—your organization—is taking responsibility for any issues that arise from its use. 

This responsibility is being codified into new cybersecurity regulations like the aforementioned Product Liability Directive in the EU. Here’s a direct quote from the PLD (emphasis ours):

“Where free and open source software supplied outside the course of a commercial activity is subsequently integrated by a manufacturer as a component into a product in the course of a commercial activity and is thereby placed on the market, it should be liable to hold that manufacturer liable for damage caused by the defectiveness of such software but not the manufacturer of the software because they would not have fulfilled the conditions of placing a product or component on the market.”

In other words, if your organization makes the decision to use an open source component that is later found to be insecure and it results in damages, your organization would be liable for the damages—not the open source maintainer who created the component.

The core thesis of this impact report is that organizations can proactively solve for this—and improve the security and resilience of their software supply chain—by paying maintainers of the open source projects they rely on to follow secure software development practices. 

Once you’ve had a chance to digest this report, if you agree that it should be an urgent strategic imperative for your organization to improve the security and resilience of your open source software supply chain, Tidelift can help. 

Tidelift works with organizations to increase the security and resilience of their applications by partnering directly with open source maintainers. Tidelift is the only company that pays them to: 

• Implement industry-leading secure software development practices and validate the practices they follow so organizations can have the same confidence in the security of their open source that they have in their own code
• Contractually commit to continue these practices into the future so that organizations can confidently make long term investments in the packages they use

We are entering a new age of accountability, where businesses will need to invest time and money to comply with new external requirements while also increasing the internal diligence they put into hardening their software supply chain to protect their own assets as well. Tidelift can be your partner in this effort, and we look forward to collaborating with you to reduce risk and help ensure you get the most out of your investment in open source.