Today, we’re announcing the call for applicants for the GitHub Secure Open Source Fund, a program designed to financially and programmatically improve security and sustainability of open source projects. Applications are open on a rolling basis until they close on January 7 at 11:59 PM PT.
We’re launching with $1.25 million to be invested across 125 projects, backed through the kind support of Alfred P. Sloan Foundation, American Express, Chainguard, HeroDevs, Kraken, Mayfield Fund, Microsoft, 1Password, Shopify, Stripe, Superbloom, Vercel, Zerodha, and others. Beyond today’s launch, we will continue to accept partners in joining our mission towards funding open source security. And apart from pure financial support, the three-week program will provide maintainers with security education, mentorship, tooling, certification, and more. For a full explanation of program eligibility and benefits, see below.
For the people that maintain much of the open source that the world depends on today, security is important but also often difficult to prioritize amongst all the other work needed when running a popular open source project. Even more, while new research shows organizations invest billions of dollars into open source, cybersecurity audits are not a point of emphasis from organizations. Nobody wants their open source project to be the source of security issues to people who use it, but keeping up to date with everything, dealing with security reports and issuing fixes all takes time. And that is often the hardest thing to find when you are already maintaining the project in your spare time.
Talking with maintainers, foundations and other companies like ourselves, we wanted to create a different way to help. For some maintainers, being able to get funding would help them free up the time to focus on security; for others, it’s the learnings, experts, and community that can help. Building on learnings from other open source funders and community-driven security practices, the GitHub Secure Open Source Fund is a first-of-its-kind cohort-based program linked to funding. The goal is to improve security for projects in a way that scales, by building a security-minded community of maintainers and funders with shared objectives. The community stands to benefit with reduced security risk, visibility and insights on project security status, and consistent reporting.
We’re taking an ecosystem approach because we believe a dependency graph is more than just connected software. It is the underlying people that underpin the success and sustainability of open source. We’re investing in security because it is critical to the global software ecosystem, and for many organizations it is critical for navigating policies like Secure by Design and the EU Cyber Resilience Act, and for long-term sustainability.
Program eligibility and benefits
GitHub will provide security education, engagement with experts, community support, promotion, and bi-annual security health reports. Maintainers will get hands-on learning of security principles, tools like GitHub Copilot and Copilot Autofix to help improve security posture, reduce security debt, and improve confidence of downstream users. All funding goes directly to maintainers via GitHub Sponsors. Anyone who is a current maintainer of an open source project with a valid open source license and located in one of the regions supported by GitHub Sponsors can apply.
In total, participants will receive:
- Funding: $10,000 per project in funding aligned with the program milestones and checkpoints,
- Education: 3-week program consisting of a 5-10 hour commitment each week with a mix of 1-to-1, instruction, workshops, group sessions, project work, and mentorship. Projects will also have focused work towards project-specific security milestones agreed between the project, the program managers, and GitHub Security Lab.
- Check-ins: 6-month and 12-month checkpoints following the education
- Office hours with GitHub Security: dedicated time with the GitHub Security Lab team to establish effective security policies and best practices for incident management planning and support.
- Engagement: Q&As with GitHub Sponsors funders, community members, and GitHub leaders.
- Expertise: access to security experts from the GitHub Security Lab, Q&As with GitHub Sponsors funders, community members, and GitHub leaders.
- Tools: free access and training for relevant GitHub products, including tools like GitHub Copilot, Copilot Autofix, and secret scanning.
- Community: access to the new GitHub Secure Open Source community.
- Alumni support: ongoing opportunities for networking and support from GitHub.
- Policy education: preparing projects to navigate policies like Secure by Design and the EU Cyber Resilience Act.
- Certification and health reports: program Certification and bi-annual security health reviews.
Understanding the state of Open Source funding in 2024
GitHub wouldn’t be GitHub without its community of developers, partners, and customers. Already, through GitHub Sponsors, we’ve seen the impact organizations have when they invest in their open source dependencies—whether that’s through general dependencies support, bringing new ideas to life or even creating full-time careers. Since introducing support for organizations through GitHub Sponsors, more than 5,800 organizations, including Microsoft and Stripe, have invested in maintainers and projects on GitHub, up nearly 40% YoY. Cumulatively, the platform has unlocked over $60 million in funding for maintainers to help them spend more time working on their projects.
But we know we’re just scratching the surface when it comes to organizations and corporate support of open source. This summer, we partnered with the Linux Foundation and researchers from Laboratory for Innovation Science at Harvard (LISH) to learn more about the state of open source funding today. Diving in, we assessed organizations funding behaviors, potential misalignments, and opportunities to improve. In the report launched today, we found:
- Responding organizations annually invest $1.7 billion in open source, which can be extrapolated to estimate that approximately $7.7 billion is invested across the entire open source ecosystem annually.
- 86% of investment is in the form of contribution labor by employees and contractors working for the funding organization, with the remaining 14% being direct financial contributions.
- Organizations generally know how and where they contribute (65%) but lack specific clarity of their contributions (38%).
- Security efforts focus on bugs and maintenance; only a few (6%) said comprehensive security audits are a priority.
We all stand to benefit from unlocking more funding for open source. By tackling problems like open source security as an ecosystem, we believe we can help create more available funding and resources that are vital to the sustainability of open source. Not every open source project or maintainer has access to funding and training for security. That’s why we created a fund that everyone potentially eligible can apply for. For some, receiving training, tools, mentorship, and financial support can be a game changer, allowing them to invest time in improving their project’s security. We are encouraged by the work of other organizations, projects, and communities shaping the ecosystem. Moreover, ecosystem partners like CURIOUSS, Ecosyste.ms, Laboratory for Innovation Science at Harvard, Mozilla Foundation, OpenForum Europe, OpenJS, OpenSSF, Open Source Initiative, Open Technology Fund, Open Source Collective, Sovereign Tech Agency, and Sustain OSS, and others engaged and helped provide input, feedback, and ideas as we have brought this idea to life.
Supporting a future for 1 billion developers
This is the beginning of a journey into helping find ways to secure open source. On its own, it’s not the answer, but we are confident it will help. We will be monitoring the impact of these investments and share what we learn as we go.
Join us in investing and building a safer, more secure open source ecosystem. Our hope is that new programs like the GitHub Secure Open Source Fund empower a healthier, more diverse and more secure open source ecosystem for all by encouraging a culture of proactive security and also helping organizations show the value to their stakeholders in investing in open source security. If you are providing financial investment, promoting secure open source practices, sharing your expertise, or advocating for secure practices, we can all help build a stronger, more resilient open source community—together.
Written by