Open source contributors spending no time on security

The Linux Foundation’s Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard (LISH) announced the release of a report which details the findings of a contributor survey administered by the organizations and focused on how contributors engage with open source software.

The FOSS (Free and Open Source Software) contributor survey and report follow the Census II analysis released earlier this year. This combined pair of works represents important steps towards understanding and addressing structural and security complexities in the modern-day supply chain where open source is pervasive but not always understood.

Census II identified the most commonly used free and open source software components in production applications, while the survey and report shares findings directly from nearly 1,200 respondents working on them and other FOSS software.

The top three motivations for contributors are non-monetary

While 74.87 percent of respondents are already employed full-time and 51.65 percent are specifically paid to develop FOSS, motivations to contribute focused on adding a needed feature or fix, enjoyment of learning and fulfilling a need for creative or enjoyable work.

A need to dedicate more effort to FOSS security

There is a clear need to dedicate more effort to the security of FOSS, but the burden should not fall solely on contributors.

Respondents report spending, on average, just 2.27 percent of their total contribution time on security and express little desire to increase that time. The report authors suggest alternative methods to incentivizing security-related efforts.

Stakeholders need to balance corporate and project interests

As more contributors are paid by their employer to contribute, stakeholders need to balance corporate and project interests.

The survey revealed that 48.7 percent of respondents are paid by their employer to contribute to FOSS, suggesting strong support for the stability and sustainability of open source projects but drawing into question what happens if corporate interest in a project diminishes or ceases.

Companies should continue the positive trend of corporate support for employees’ contribution to FOSS. More than 45.45 percent of respondents stated they are free to contribute to FOSS without asking permission, compared to 35.84 percent ten years ago.

However, 17.48 percent of respondents say their companies have unclear policies on whether they can contribute and 5.59 percent were unaware of what policies – if any – their employer had.