While there may be a clear understanding that free and open-source software (FOSS) requires more security dedication and effort, open-source contributors don’t want to be bothered with it. A recent report found that contributors on average only spend about 2.27% of their time responding to security issues, and don’t have plans to increase that. Additionally, they responded that they would like to spend as little as 0.06% of their time on security.
But it is not because contributors find there is no need for security. When asked what would be the most beneficial contribution to their FOSS projects from external sources, they responded bug/security fixes, free security audits, and easier ways to integrate security tools into their CI pipelines. “This indicates that there is a clear need for these efforts, but existing contributors are not interested in dedicating substantial additional time to it,” the 2020 FOSS Contributor Survey, which was conducted by the Linux Foundation and Laboratory for Innovation at Harvard, stated.
As a result, the report found that open-source projects need an alternative method for incentivizing security-related efforts. These methods can include improving security practices through more secure development training, badging programs, mentoring programs, and security and automation tools.
In addition, organizations that pay employees to contribute to FOSS can help by redirecting those efforts to identify and address known security issues. According to the report, almost half of respondents are paid to contribute to FOSS. Organizations need to find a balance between corporate and project interests. For instance, while paid contribution efforts could help improve the stability and sustainability in FOSS, there are concerns that the organization will push contributions in a direction that is best for the company and not the project users. Other concerns are that if the organization decides it is no longer cost-effective to contribute to the project, it will lose most of its contributors.
To create a balance, the report suggests companies be clear about their commitment and long-term support of specific projects, incentivize paid contributors to mentor new volunteers, and transfer projects to a foundation with neutral governance.
The report also stresses the need for companies to provide clear FOSS policies. About 17% of respondents stated their companies have unclear policies and about 6% reported they were unaware of any policies.
When looking at what motivates contributors to work on FOSS projects, they cited the “enjoyment of learning, “the need for a feature or fix,” and “the need for creative expression.” To continue that motivation, the report suggests companies recognize the value of contributing to FOSS, support the learning process, balance the mundane and creative tasks, and consider other support options other than payment to contributors.
“In the end, free and open source software is, and always has been, a community-driven effort that has led to the development of some of the most critical building blocks of the modern economy. This survey highlights the importance of the security of this important dynamic asset. Likewise, it will take a community-driven effort, including individuals, companies, and institutions, to ensure FOSS is secure and sustainable for future generations,” the report stated.