The open source ecosystem underpins much of our digital infrastructure, yet many critical projects struggle with maintenance and security challenges highlighted by major vulnerabilities like Log4Shell and the XZ Utils backdoor. In recent years, there has been growing interest from the public sector in providing targeted funding to address these issues and support open source sustainability. But how can we or should we assess the impact of such funding initiatives?
A new research report by Dr. Ryan Ellis and Jaikrishna Bollampalli from Northeastern University, which was commissioned by the Sovereign Tech Fund (STF) in Germany, explores this question, examining the role of public funding in addressing bugs and vulnerabilities in open source projects. The report provides valuable insights into the benefits and potential risks of targeted public investment in open source maintenance and security like bug bounty programmes, noting that, “If not deployed judiciously, bug bounty programs may do more harm than good.”
The report charts a path forward for open source bounty programmes and makes five concrete recommendations:
The question of how maintenance of open source projects can be facilitated from the outside is highly relevant to the Linux Foundation’s work. Since January 2024, we have been a consortium partner in the European Commission’s NGI Commons, where we are working alongside our partners on evaluating the impact of public funding for open source projects. This includes the impact of the Next Generation Internet (NGI) initiative through which the Commission has funded over 1,200 research and development projects, many of which have released and/or contributed to open source projects.
This research has highlighted the vacuum of prior work on measuring open source funding impacts and the lack of consensus on how to do so meaningfully. Recognising the importance of this topic, we have joined forces with the STF and the Linux Foundation's Community Health Analytics in Open Source Software (CHAOSS) project who have similarly been exploring this question. Drawing on our respective experiences and insights, we are currently developing methodological guidance for assessing the impact of public funding for open source, which we will present at the upcoming Open Forum Academy Symposium at Harvard Business School on 13-14 November. We will also share a preprint publicly for discussion among the wider open source community.
Our goal with this paper is not to present a set-in-stone way to think of or measure open source funding impacts. Rather, our goal is to organise and share our insights in a structured manner, and to stimulate a multi-stakeholder conversation in the open source community about the importance of funding and the impacts (good and bad) of different funding approaches. For example, key questions we're exploring include:
By putting this guidance out there, we aim to provide open source practitioners and policymakers with a toolkit that we can collectively use to advance the conversation about the importance and the potential impacts of funding for the open source ecosystem, as well as the public sector's role in this equation.
At the same time, another problem that we face is our limited understanding of the global open source funding landscape. Addressing this problem, the Linux Foundation’s research team has been working in partnership with GitHub and researchers from Harvard university to map and measure global funding for open source software. From a survey fielded in the open source community this summer, this research will create more visibility of different types of funding and put a dollar value on its value. The results will be published in November 2024 and presented at the Linux Foundation Member Summit on 19-21 November 2024.
We invite the open source community to engage with this important topic. Read the STF report, join the conversation at the OFA Symposium in November and at the LF Member Summit, and let us know your thoughts on this topic in the comments!