In mid-2024, Tidelift fielded its third survey of open source maintainers. More than 400 maintainers responded and shared details about their work, including how they fund it, who pays for it, and what kinds of security, maintenance, and documentation practices they have in place today or would consider in the future. They also shared their thoughts about some “in the headlines” issues like the recent xz utils hack and the impact of AI-based coding tools. In this post, we share the second of twelve key findings. If you don’t want to wait for the rest of the results, you can download the full survey report right now.
In most corners of humanity, it is understood that people are typically willing to do more work if you pay them than they will do for free. Yet the open source world can sometimes feel like an upside down universe where there is an expectation that unpaid or underpaid volunteers will maintain their projects to the same standards that an organization would expect from their own employees, who often get paid handsomely.
For open source maintainers this can be… frustrating, as Forrest Brazeal captures in this cartoon.
While it might not be rocket science to reach the conclusion that open source maintainers would do more work if they were paid than they can do for free, we wanted to use this year’s survey to get some additional data points to support that conclusion.
In the previous finding, we reported that 60% of maintainers describe themselves as unpaid hobbyists, and 36% of maintainers describe themselves as paid (professional or semi-professional) maintainers, earning some or all of their income from their open source work.
We asked the 36% of maintainers who are getting paid for their work what types of improvements they’ve been able to make to their projects as a result of getting paid. The vast majority of paid maintainers (83%) report that they can spend more time maintaining their projects as a result of being paid. No shock there. But what else can they do when they are being paid?
Sixty-four percent of paid maintainers report that they can work on new feature requests, 52% are better able to research and respond to security issues and bugs reported by users, 51% can improve their project’s secure development practices, and 45% can prioritize remediating vulnerabilities impacting the project or its dependencies.
When you break down the paid maintainers into professional (earning most or all of their income from their maintenance work) and semi-professional (earning some of their income from maintaining projects), it becomes clear that the amount of money a maintainer is making for their work has a large impact on the types of improvements they are able to make. Across nearly all major categories, professional maintainers are on average over 20 percentage points more likely to make key improvements to their projects than semi-professional maintainers.
(Side note: throughout this blog series, you’ll see us show gaps between percentages, like in the chart below, consistently. It’s our feeling that the brain processes these gaps more easily than it does a percentage difference between two numbers. For example, if one number was 50% and the next one was 75%, the gap between those two percentages would be 25%, but the percentage difference between the two is actually 50%. So for readability you’ll see us refer to percentage points gaps in most places although occasionally when the differences are really compelling you’ll see us refer to a percentage difference between two numbers or even something like 3x or 3 times another number.)
More detail: almost all professional maintainers (96%) can spend more time maintaining their projects (as compared to 77% of semi-pro maintainers) because they are getting paid. Eighty-four percent of professional maintainers can work on new feature requests, as opposed to 55% of semi-pro maintainers. And perhaps most importantly, professional maintainers are almost twice as likely (64%) to be able to prioritize remediating security vulnerabilities impacting their project or dependencies compared to semi-pro maintainers (36%).
In last year’s report, we shared data showing that the more maintainers get paid, the more they work on open source. This conclusion still holds true in the 2024 data, and the results were remarkably consistent.
In the previous study, 81% percent of professional maintainers earning most or all of their income from maintaining projects spend more than 20 hours a week maintaining their projects. This year, the percentage was nearly identical (82%).
Conversely, in last year’s survey, we found that the vast majority of unpaid hobbyists spend ten hours or less per week on their maintenance work (81%). This percentage also stayed consistent in this year’s survey, with 78% of unpaid hobbyist maintainers working ten hours or less per week.
We’ve heard from many maintainers that how they are paid for their work also matters. For many maintainers there is a huge difference between getting a one-time “airdrop” of money, perhaps right after a high profile incident where people are paying attention to their projects, compared to ongoing recurring income that they can count on. So this year for the first time we asked maintainers to tell us whether they would prefer to get predictable monthly income or a one-time lump payment.
An overwhelming majority of maintainers prefer to receive predictable monthly income, with 81% choosing that option.
Gary Gregory, a co-maintainer of Apache Commons and the high profile Log4j package among other important Java projects, has a strong perspective on the issue of one-time payments versus recurring income.
“I think the recurring income piece is critical for me, at least,” Gary told us when talking about the difference between the income Tidelift provides and one-time project grants like the Log4j team received after the Log4Shell incident. “Just imagine what it’s like to have a job with a recurring income—it makes you feel safe, secure, and confident that you can keep on doing this work and that it’s not time wasted. It also lets you plan ahead. I always maintain a list of the components I want to release in the near future, and then I have a longer term list of things that I want to work on, that I know I’ll get to.”
Again, you do not need a PhD in economics to understand that when people are paid, they will do more than when they are not paid, and that the more you pay them, the more they are willing to do. But this year’s survey gives us a few different lenses through which to explore the improvements organizations can expect to see when they prioritize paying the maintainers of the projects they use. If having healthy, well-maintained, and secure open source dependencies is a priority for your organization, ensuring your maintainers themselves are financially healthy and well-maintained should be a priority, too.