Unpaid maintainers: The Security Threat No One Is Talking About (yet)

It’s hard to be an open source maintainer in 2024. Despite increasing demands, 60% maintainers still don’t get paid for their work and 58% have considered quitting or already quit maintaining their projects. Earlier this year, the xz utils scare brought to light the very real implications of what could happen when maintainers are not supported. While this particular attack was thwarted, the bottom line is most maintainers are unpaid hobbyists who do not receive both the financial or societal (community, mental health, training, time) support needed to ensure the security and resilience of the open source software we all rely on.

Collectively, the industry has made developers the basis of an 8.8 trillion-dollar economy without giving them anything but extremely indirect benefits. But, overworked and underappreciated maintainers are a huge problem that leads directly to organizational security risk. So what can you do about it?

In this session, Kanish, head of product marketing at Tidelift, will share brand new data from a recent state of the open source maintainer survey, including how the xz utils attack affected maintainers, what are challenges and consequences of not incentivizing maintainers, and what he has learned about supporting maintainers while providing examples of success stories when maintainers are paid for their work to ensure their projects remain secure and healthy.

Speaker

Kanish Sharma


Kanish Sharma is head of product marketing at Tidelft where he oversees go-to-market strategy, messaging, positioning, and content for Tidelift’s products and services working closely with ...