Tidelift’s 2023 open source maintainer survey reveals that despite increasing demands from government and industry, most maintainers still don’t get paid for their work. Against a backdrop of increasing urgency and attention to software security from government and industry, the report provides insights into the critical work of the open source maintainers responsible for ensuring the security of the open source software modern organizations rely on.

In analyzing the survey responses of over 300 maintainers—the people who create and maintain open source software projects—one common thread is that maintainers are being asked to take on additional work to meet government and industry standards and would be increasingly motivated to learn more about those standards and how to apply them to their packages if they had the resources and compensation to do the work.

This is currently not the case, as 60% of maintainers describe themselves as unpaid hobbyists, while only 13% describe themselves as professional maintainers who earn most or all of their income from maintaining projects.

Key Findings of Tidelift’s 2023 State of the Open Source Maintainer Report:

Despite increasing demands, most maintainers still don’t get paid for their work.

• 60% of maintainers describe themselves as unpaid hobbyists, while only 13% describe themselves as professional maintainers earning most or all of their income from maintaining projects. 23% of maintainers describe themselves as semi-professionals, earning some of their income from maintaining projects.
• The more maintainers get paid, the more they work on open source. 81% of professional maintainers spend more than 20 hours per week maintaining their projects, compared to 27% of semi-professional maintainers, and only 7% of unpaid hobbyist maintainers.

Maintainers are being asked to do more security work. Over 50% didn’t get the memo.

• Over 50% of maintainers are not aware of new security standards initiatives like OSSF scorecards, SLSA, and the NIST SSDF.
• Of the maintainers aware of one or more of these standards, 43% have already begun work to align to these industry standards or plan to begin work within the next year.
• 39% have no plans to align to these industry standards and 19% are still on the fence, reporting that they either do not know or are not sure whether they will do the work to ensure their packages align with these industry standards.

Maintainers to industry: We don’t have the time nor money to do more.

• 38% of maintainers who do not plan to align their projects with industry standards say they just don’t have the time, while 37% won’t do it because they are not being paid for the work.
• 54% of maintainers would appreciate help so they can better understand these new standards and how they apply to their project, while 47% of maintainers want to be paid for undertaking the work needed to align their projects with the new standards.

Paid maintainers do more security and maintenance work than unpaid maintainers.

• Across every practice asked about, paid maintainers were significantly more likely to have implemented it or have it on the roadmap. More than 50% of paid maintainers have implemented or plan to implement 12 out of 16 common security and maintenance practices. Unpaid maintainers? Only 5 out of 16.
• The gaps between unpaid and paid maintainers on some important security and maintenance practices are substantial, led by formal backwards compatibility policy (39% unpaid, 71% paid, 32% gap), defined dependency management process (26% unpaid, 57% paid, 31% gap), reproducible and verifiable build processes (47% unpaid, 77% for paid, gap 30%), security disclosure plan (42% unpaid, 69% paid, gap 27%) and providing fixes and recommendations for vulnerabilities (43% unpaid, 69% paid, gap 26%).