In mid-2024, Tidelift fielded its third survey of open source maintainers. More than 400 maintainers responded and shared details about their work, including how they fund it, who pays for it, and what kinds of security, maintenance, and documentation practices they have in place today or would consider in the future. They also shared their thoughts about some “in the headlines” issues like the recent xz utils hack and the impact of AI-based coding tools. In this post, we share the sixth of twelve key findings. If you don’t want to wait for the rest of the results, you can download the full survey report right now.
In our previous finding, we extensively covered how many maintainers are aware of common open source security initiatives like the OpenSSF Scorecard project and the NIST Secure Software Development Framework. Part of the usefulness of initiatives like these is that they outline lists of secure software development practices that maintainers can follow to keep their projects safe and secure.
For this part of the survey, we wanted to look more closely at specific security practices like the ones found in the NIST SSDF, OpenSSF Scorecard, or required for Tidelift-partnered maintainers so we could learn which of them maintainers already have in place and which they would consider implementing in the future.
Security practices most implemented by maintainers today
First, we asked a question similar to one we had asked previously in the 2023 survey:
Which of the following security practices have been implemented for most or all of the projects you maintain?
Except this time, we provided a much longer set of options than we’d included in our last survey. Of this new, longer list of common security practices, the one implemented by the highest percentage of maintainers was two-factor authentication for source code hosting and package managers (71%). Second was static code analysis (65%), and third was that they provide fixes and recommendations for vulnerabilities (60%).
These were followed by a security disclosure plan on how they should be contacted about security issues (52%) and secrets management (46%).
Maintainer security practices: 2024 vs. 2023
For those practices specifically asked about in both 2023 and 2024, we wanted to compare against our previous results to see if more maintainers are implementing the practices today than in 2023, and in fact they are.
Two-factor authentication was only implemented by 54% of maintainers in 2023, but now is being implemented by 71% of maintainers (+17%), which makes sense now that GitHub has made two-factor authentication basically mandatory for projects hosted on its platform. This is an interesting signal that for some classes of security practices, centralized infrastructure changes might be part of the solution.
Only 49% of maintainers were providing fixes and recommendations for vulnerabilities in 2023, and that percentage has risen to 60% today (+11%). And 39% were implementing a security issue disclosure plan in 2023 and the percentage is 52% today (+13%).
Do paid maintainers implement more security practices than unpaid maintainers?
Next, we wanted to see if maintainers who are being paid for their work are more likely to implement critical security practices than those who are not paid, and nearly across the board they are. In fact when you look across all of the security and maintenance practices we asked about, paid maintainers are 8-26 percentage points (or, on average 55%) more likely to implement the practices than unpaid maintainers. We’ll talk more about maintenance practices in the next finding, but for now, we’ll start with security practices.
For the three most implemented security practices, two-factor authentication (+8%), static code analysis (+16%), and providing fixes and recommendations for vulnerabilities (+16%), paid maintainers are significantly more likely to have implemented the practices than unpaid maintainers.
The gaps get even more pronounced among the next set of practices. Paid maintainers were much more likely to have implemented a security disclosure plan (+23%), implemented secrets management (+19%), and have signed releases and published artifact provenance (+22%).
What are the top security practices paid maintainers would implement?
Finally, we took the practices that individual maintainers reported they were not implementing today, and we asked them which of these practices they would consider implementing if they were paid for the work. As the chart below shows, when you combine the practices maintainers are already completing with the additional practices they would be willing to complete if they were being paid for the work, a roadmap for what security practices we might be able to positively impact by paying maintainers begins to emerge.
For example, only a small percentage of maintainers implement dynamic code analysis (19%), formal processes or standards to verify new contributors (13%), and third-party security audits (10%). But if they were paid, the number of maintainers that would at least consider implementing these less common, but still critical, practices roughly triples to 53%, 44%, and 47% respectively.
Looking at the top five security practices in the chart above, it becomes clear that over three quarters of all maintainers would be at least willing to implement the most common security practices like static code analysis (81%), two-factor authentication (80%), providing fixes and recommendations for vulnerabilities (80%), providing a security disclosure plan (79%), and providing signed releases and published artifact provenance (75%) if they were being paid for the work.
This is an exciting finding, because if you look at it the other way, it shows that many maintainers are not being held back from completing many common security tasks due to a lack of understanding or willingness to implement these practices.
It is that implementing these practices, and keeping them in place over time, requires a lot of work. Maintainers are clearly telling us that they are willing to do the work required to secure their projects—but they aren’t willing to do it for free.
Top comments (0)