Facilitating Open Source Maintenance: Evaluating Funding Approaches and Measuring Impact

The open source ecosystem underpins much of our digital infrastructure, yet many critical projects struggle with maintenance and security challenges highlighted by major vulnerabilities like Log4Shell and the XZ Utils backdoor. In recent years, there has been growing interest from the public sector in providing targeted funding to address these issues and support open source sustainability. But how can we or should we assess the impact of such funding initiatives?

The merits and risks of open source bug bounty programmes

A new research report by Dr. Ryan Ellis and Jaikrishna Bollampalli from Northeastern University, which was commissioned by the Sovereign Tech Fund (STF) in Germany, explores this question, examining the role of public funding in addressing bugs and vulnerabilities in open source projects. The report provides valuable insights into the benefits and potential risks of targeted public investment in open source maintenance and security like bug bounty programmes, noting that, “If not deployed judiciously, bug bounty programs may do more harm than good.”

The report charts a path forward for open source bounty programmes and makes five concrete recommendations:

1. Invest in Holistic Approaches to Maintenance: The report emphasises that open source security is closely tied to overall project maintenance. Poorly maintained projects are inherently insecure. Investing in and improving maintenance has spillover effects that also improve security.
2. Bounty Last, not First: Bug bounty programmes work best when they are layered on top of already-existing security practices. Bounties are not a substitute for secure development practices and should not be deployed before these practices are in place.
3. Leverage Bounty Programmes to Improve Identification: The report suggests targeting mature projects that are spending a disproportionate amount of time on vulnerability identification. Speeding up initial identification can reduce exposure and improve security.
4. Open Source Bounty Programmes Should Adopt Ethical Practices: Bounty programmes should recognise the unique characteristics of the open source ecosystem and take care to enhance rather than erode reciprocity. They should be designed to minimise risks for participating hackers and address questions of equity within the project community.
5. Bounty Funding Should Be Community-Driven and Aid Structural Support: Funding for open source bug bounty programmes should come from the larger community of users that benefit from open source technologies. Bounties should be paired with general investments in the maintenance of the open source project to offset the new work created by managing bounty programs.

Working towards measuring the impact of public funding for open source

The question of how maintenance of open source projects can be facilitated from the outside is highly relevant to the Linux Foundation’s work. Since January 2024, we have been a consortium partner in the European Commission’s NGI Commons, where we are working alongside our partners on evaluating the impact of public funding for open source projects. This includes the impact of the Next Generation Internet (NGI) initiative through which the Commission has funded over 1,200 research and development projects, many of which have released and/or contributed to open source projects. 

This research has highlighted the vacuum of prior work on measuring open source funding impacts and the lack of consensus on how to do so meaningfully. Recognising the importance of this topic, we have joined forces with the STF and the Linux Foundation's Community Health Analytics in Open Source Software (CHAOSS) project who have similarly been exploring this question. Drawing on our respective experiences and insights, we are currently developing methodological guidance for assessing the impact of public funding for open source, which we will present at the upcoming Open Forum Academy Symposium at Harvard Business School on 13-14 November. We will also share a preprint publicly for discussion among the wider open source community.

Our goal with this paper is not to present a set-in-stone way to think of or measure open source funding impacts. Rather, our goal is to organise and share our insights in a structured manner, and to stimulate a multi-stakeholder conversation in the open source community about the importance of funding and the impacts (good and bad) of different funding approaches. For example, key questions we're exploring include:

1. What kinds of social, economic, and technological impacts—both positive and negative, direct and indirect—can funding have on OSS projects and their broader ecosystems over different time horizons?
2. How do different funding approaches influence OSS project outcomes and community dynamics, and what are the relative merits and drawbacks of various funding approaches?
3. What are potential unintended consequences of funding that need to be identified and mitigated?
4. How, if at all, can we create meaningful metrics that capture the multiplier effects of funding and convey the return on public investment?
5. How can or should we define and measure "success" in OSS funding?

By putting this guidance out there, we aim to provide open source practitioners and policymakers with a toolkit that we can collectively use to advance the conversation about the importance and the potential impacts of funding for the open source ecosystem, as well as the public sector's role in this equation.

At the same time, another problem that we face is our limited understanding of the global open source funding landscape. Addressing this problem, the Linux Foundation’s research team has been working in partnership with GitHub and researchers from Harvard university to map and measure global funding for open source software. From a survey fielded in the open source community this summer, this research will create more visibility of different types of funding and put a dollar value on its value. The results will be published in November 2024 and presented at the Linux Foundation Member Summit on 19-21 November 2024.

We invite the open source community to engage with this important topic. Read the STF report, join the conversation at the OFA Symposium in November and at the LF Member Summit, and let us know your thoughts on this topic in the comments!