Today, I’m excited to release our 2023 open source maintainer impact report—our first annual overview of the strategy and results from securing the open source software supply chain in partnership with open source maintainers.
And spoiler alert—the news is fantastic!
When you incentivize secure development practices for maintainers, the result is better software supply chain security outcomes.
(Prefer to watch rather than read? I shared many of the top findings in a talk at Upstream last week.)
The strategy: aligning incentives with secure outcomes for open source
Over the past several years, government and industry have come together to take action to improve open source software security. In the U.S., a series of government actions have defined a secure software development framework called the NIST SSDF.
Software producers doing business with the government will now be required to attest that they follow the practices required by the SSDF—if they’d like to keep doing business with the government.
And all organizations doing business in the U.S. will need to be able to demonstrate they are following the requirements of the SSDF to reduce their organization’s exposure to new software cybersecurity liability policies outlined in the U.S. national cybersecurity strategy.
Meanwhile industry groups like OpenSSF have also developed a set of their own security standards that apply to open source projects.
Over the past several years, Tidelift has championed a model that pays open source maintainers directly to ensure their projects follow secure development practices like those recommended in the NIST SSDF and other industry standards initiatives.
In our new maintainer impact report, we share some of the latest data, learnings, and results we’ve taken away from creating reliable incentives for maintainers to ensure packages meet a set of secure development standards.
Paying maintainers to improve OpenSSF Scorecard scores works!
The OpenSSF Scorecard project was created to help maintainers improve their security best practices and to help open source consumers assess whether the packages they are using are safe. The scorecard is an automated tool that assesses a number of important heuristics (“checks”) associated with software security and assigns each check a score of 0-10, as well as an overall 0–10 score. The team behind the scorecard runs a regular analysis against millions of the most critical open source projects and publishes the resulting scores in a BigQuery public dataset.
Beginning in June of 2022, Tidelift undertook a focused project to incentivize open source maintainers to improve adoption of the OpenSSF Scorecard recommended practices, and overall scores. As expected, Tidelift’s paid cohort for this research was already outperforming their previous scores from September 2021, as well as their peer open source packages.
So what was the headline finding? Through a focused effort to pay a cohort of maintainers between June 2022 and May 2023, we increased OpenSSF Scorecard scores to an average of 7.2 out of 10, while other packages without investment had an average package score of 3.3 out of 10.
This focused cohort working on the OpenSSF Scorecard scores gave us a window into how maintainers are thinking about adopting these kinds of industry standards, and what hurdles exist for broader adoption.
Tidelift has been clarifying and incentivizing standardized security work for maintainers since 2018
This OpenSSF Scorecard cohort was just one example of the work Tidelift has been doing to improve open source software security. Tidelift keeps a continuously updated list of the security practices that we pay maintainers to ensure their projects follow (you can see it here), and we evolve and grow these practices over time. We’ve been paying maintainers to ensure their projects follow many of these secure development practices since 2018, and we measure how they are doing through a series of standards, checks, and tasks that maintainers complete in order to retain their monthly income.
For the first time, we are publicly sharing data showing how our partnered maintainers are doing when it comes to completing this work.
When it comes to some of the most critical security standards, like 2FA, a discoverable security policy, a validated license, and fixed vulnerabilities, 90+% of maintainers have validated that they have completed these tasks, and the percentages continue to increase.
As a result of Tidelift’s work with maintainers, packages are being developed with more security practices in place, and software supply chain security is increasing.
This model is ready to scale
We can now definitively measure investment, outcomes, and impact for open source software supply chain security.
Today, Tidelift’s model can deliver 2FA enablement, security policy setup, vulnerability review, release manager access verification, and dependency management when a maintainer signs on to join. We have thousands of packages across hundreds of maintainers that have signed a contract that enables income to deliver on secure development work beyond what they may be doing on their packages today.
As we look ahead, we want to expand how we work with maintainers, continuing how we clarify and incentivize secure build processes and moving more into token permissions, fuzzing, signing, and a range of practices oriented to reduce malicious source code injection supply chain attacks.
With the clarity, incentives, and relationships that Tidelift has created with independent open source maintainers, we can force multiply the practices and outcomes leading to even more secure, better open source. This will continue to drive innovation—safely—for industry and government alike.
Want to learn more and take a look at the data for yourself? Download the maintainer impact report or reach out to one of our experts to learn how you can get an open source attestation report for your organization.