In mid-2024, Tidelift fielded its third survey of open source maintainers. More than 400 maintainers responded and shared details about their work, including how they fund it, who pays for it, and what kinds of security, maintenance, and documentation practices they have in place today or would consider in the future. They also shared their thoughts about some “in the headlines” issues like the recent xz utils hack and the impact of AI-based coding tools. In this post, we share the fifth of twelve key findings. If you don’t want to wait for the rest of the results, you can download the full survey report right now.
As we shared in our previous finding, maintainers are being asked to do more work to comply with increasingly complex security requirements from industry and government. We started following this trend in our previous maintainer survey, and were able to collect some additional new data points to share in this year’s survey report as well.
We repeated a question we’d included in our previous survey, where we asked maintainers to report whether they were aware of some of the most common industry security standards or initiatives. In our previous survey, we’d asked about the NIST Secure Software Development Framework (SSDF), the OpenSSF Scorecard, and the Supply Chain Levels for Software Artifacts (SLSA) Framework, and this year we added the Secure by Design pledge that was initiated by CISA (the Cybersecurity and Infrastructure Security Agency) of the U.S. government.
Across the board, the percentage of maintainers who are aware of these industry standards and initiatives has grown. The initiative with the highest awareness among maintainers is the OpenSSF Scorecard project, with 40% of maintainers being aware of it, up from 28% in our previous survey. This is followed closely by the NIST SSDF, with 39% awareness, up from 26% in our previous survey.
More maintainers are also aware of the SLSA framework (23%) this year, compared to only 13% when we asked about it in 2023. And in our first year including it, 17% of maintainers were aware of the CISA Secure by Design pledge. The percentage of maintainers that were not aware of any of these initiatives decreased from 52% in 2023 to 40% this year, as these initiatives continued to gain adoption and traction.
We were particularly interested in the responses regarding the OpenSSF Scorecard project, which is becoming a security standard benchmark for many enterprise organizations. So we asked maintainers who had indicated that they were aware of the OpenSSF Scorecard project if they already have begun or plan to begin work to ensure their projects align with its requirements.
Thirty-percent of these maintainers have already begun work to ensure their projects align with the requirements of the OpenSSF Scorecard, while another 6% plan to begin work in the next three months, and 12% plan to begin work between three months and one year from now. A full 40% of maintainers currently have no plans to align to the OpenSSF Scorecard.
The data gets really interesting when you compare the maintainers who have partnered with Tidelift to those who have not. (Tidelift partners with open source maintainers and pays them to implement industry-leading secure software development practices—like many of those found in the OpenSSF Scorecard—validate the practices they follow, and then contractually commit to continue these practices into the future.)
Nearly half of Tidelift-partnered maintainers aware of the OpenSSF Scorecard (49%) have already begun the work to ensure their projects align with its requirements, which is three times the percentage of maintainers not partnered with Tidelift who have done so (16%). This is about as clear evidence as any we have seen that paying maintainers delivers results when it comes to implementing better secure software development practices. Conversely, over half (52%) of maintainers who are not partnered with Tidelift have no plans to align to the OpenSSF Scorecard.
There are several reasons why maintainers might not want to align their projects with the OpenSSF Scorecard. The simplest reason is that it is a lot of work, and they are not being paid to do it. We suspect this may be why many maintainers are not aligning with the OpenSSF Scorecard yet.
Another reason might be that they just aren’t familiar enough with all of the requirements to make the commitment. Or some maintainers may not agree with all of the OpenSSF Scorecard requirements or the requirements may not all apply to their projects and/or ecosystem. For example, the scorecard includes a binary artifacts check, but virtually nothing in the npm ecosystem distributes binaries, so JavaScript maintainers may not be aligning their projects to scorecard checks like these they do not feel are relevant.
Notwithstanding cases like these, the stark differences between how Tidelift-partnered maintainers answered this question about the OpenSSF Scorecard and how non-partnered maintainers answered the same question are a strong general signal that paying open source maintainers to implement secure software development practices can be an effective way for organizations to improve the security of the open source software supply chain they rely on. In our next finding, we’ll get into even more detail about the security practices maintainers are willing to implement when they are paid for their work.