Announcing GitHub Secure Open Source Fund: Help secure the open source ecosystem for everyone

Applications for the new GitHub Secure Open Source Fund are now open! Applications will be reviewed on a rolling basis until they close on January 7 at 11:59 pm PT. Programming and funding will begin in early 2025.

| 7 minutes

Today, we’re announcing the call for applicants for the GitHub Secure Open Source Fund, a program designed to financially and programmatically improve security and sustainability of open source projects. Applications are open on a rolling basis until they close on January 7 at 11:59 PM PT.

We’re launching with $1.25 million to be invested across 125 projects, backed through the kind support of Alfred P. Sloan Foundation, American Express, Chainguard, HeroDevs, Kraken, Mayfield Fund, Microsoft, 1Password, Shopify, Stripe, Superbloom, Vercel, Zerodha, and others. Beyond today’s launch, we will continue to accept partners in joining our mission towards funding open source security. And apart from pure financial support, the three-week program will provide maintainers with security education, mentorship, tooling, certification, and more. For a full explanation of program eligibility and benefits, see below.

For the people that maintain much of the open source that the world depends on today, security is important but also often difficult to prioritize amongst all the other work needed when running a popular open source project. Even more, while new research shows organizations invest billions of dollars into open source, cybersecurity audits are not a point of emphasis from organizations. Nobody wants their open source project to be the source of security issues to people who use it, but keeping up to date with everything, dealing with security reports and issuing fixes all takes time. And that is often the hardest thing to find when you are already maintaining the project in your spare time.

Talking with maintainers, foundations and other companies like ourselves, we wanted to create a different way to help. For some maintainers, being able to get funding would help them free up the time to focus on security; for others, it’s the learnings, experts, and community that can help. Building on learnings from other open source funders and community-driven security practices, the GitHub Secure Open Source Fund is a first-of-its-kind cohort-based program linked to funding. The goal is to improve security for projects in a way that scales, by building a security-minded community of maintainers and funders with shared objectives. The community stands to benefit with reduced security risk, visibility and insights on project security status, and consistent reporting.

We’re taking an ecosystem approach because we believe a dependency graph is more than just connected software. It is the underlying people that underpin the success and sustainability of open source. We’re investing in security because it is critical to the global software ecosystem, and for many organizations it is critical for navigating policies like Secure by Design and the EU Cyber Resilience Act, and for long-term sustainability.

Open source helps American Express provide the world’s best customer experience every day by allowing our developers to innovate, collaborate, and share. The security of open source software has long been a priority for our company. We are proud to back this important program that aims to improve security in a scalable way and help support open source maintainers to implement secure software.

- Hilary Packer, Chief Technology Officer // American Express

We are committing to the GitHub Secure Open Source Fund in alignment with our long-standing commitment to the FOSS ecosystem, from which we benefit immensely. We see this program as an exciting win-win: getting money directly into the hands of FOSS developers, while enabling critical security improvements in software that benefits everyone.

- Dr. Kailash Nadh, CTO // Zerodha

Program eligibility and benefits

GitHub will provide security education, engagement with experts, community support, promotion, and bi-annual security health reports. Maintainers will get hands-on learning of security principles, tools like GitHub Copilot and Copilot Autofix to help improve security posture, reduce security debt, and improve confidence of downstream users. All funding goes directly to maintainers via GitHub Sponsors. Anyone who is a current maintainer of an open source project with a valid open source license and located in one of the regions supported by GitHub Sponsors can apply.

In total, participants will receive:

  • Funding: $10,000 per project in funding aligned with the program milestones and checkpoints,
  • Education: 3-week program consisting of a 5-10 hour commitment each week with a mix of 1-to-1, instruction, workshops, group sessions, project work, and mentorship. Projects will also have focused work towards project-specific security milestones agreed between the project, the program managers, and GitHub Security Lab.
  • Check-ins: 6-month and 12-month checkpoints following the education
  • Office hours with GitHub Security: dedicated time with the GitHub Security Lab team to establish effective security policies and best practices for incident management planning and support.
  • Engagement: Q&As with GitHub Sponsors funders, community members, and GitHub leaders.
  • Expertise: access to security experts from the GitHub Security Lab, Q&As with GitHub Sponsors funders, community members, and GitHub leaders.
  • Tools: free access and training for relevant GitHub products, including tools like GitHub Copilot, Copilot Autofix, and secret scanning.
  • Community: access to the new GitHub Secure Open Source community.
  • Alumni support: ongoing opportunities for networking and support from GitHub.
  • Policy education: preparing projects to navigate policies like Secure by Design and the EU Cyber Resilience Act.
  • Certification and health reports: program Certification and bi-annual security health reviews.

Understanding the state of Open Source funding in 2024

GitHub wouldn’t be GitHub without its community of developers, partners, and customers. Already, through GitHub Sponsors, we’ve seen the impact organizations have when they invest in their open source dependencies—whether that’s through general dependencies support, bringing new ideas to life or even creating full-time careers. Since introducing support for organizations through GitHub Sponsors, more than 5,800 organizations, including Microsoft and Stripe, have invested in maintainers and projects on GitHub, up nearly 40% YoY. Cumulatively, the platform has unlocked over $60 million in funding for maintainers to help them spend more time working on their projects.

But we know we’re just scratching the surface when it comes to organizations and corporate support of open source. This summer, we partnered with the Linux Foundation and researchers from Laboratory for Innovation Science at Harvard (LISH) to learn more about the state of open source funding today. Diving in, we assessed organizations funding behaviors, potential misalignments, and opportunities to improve. In the report launched today, we found:

  • Responding organizations annually invest $1.7 billion in open source, which can be extrapolated to estimate that approximately $7.7 billion is invested across the entire open source ecosystem annually.
  • 86% of investment is in the form of contribution labor by employees and contractors working for the funding organization, with the remaining 14% being direct financial contributions.
  • Organizations generally know how and where they contribute (65%) but lack specific clarity of their contributions (38%).
  • Security efforts focus on bugs and maintenance; only a few (6%) said comprehensive security audits are a priority.

We all stand to benefit from unlocking more funding for open source. By tackling problems like open source security as an ecosystem, we believe we can help create more available funding and resources that are vital to the sustainability of open source. Not every open source project or maintainer has access to funding and training for security. That’s why we created a fund that everyone potentially eligible can apply for. For some, receiving training, tools, mentorship, and financial support can be a game changer, allowing them to invest time in improving their project’s security. We are encouraged by the work of other organizations, projects, and communities shaping the ecosystem. Moreover, ecosystem partners like CURIOUSS, Ecosyste.ms, Laboratory for Innovation Science at Harvard, Mozilla Foundation, OpenForum Europe, OpenJS, OpenSSF, Open Source Initiative, Open Technology Fund, Open Source Collective, Sovereign Tech Agency, and Sustain OSS, and others engaged and helped provide input, feedback, and ideas as we have brought this idea to life.

We are excited that the GitHub Secure Open Source Fund will apply learnings from our OpenSSF community by directly engaging with critical projects and developers to help improve the security posture of their software and communities. We’ve long understood that people are the engine that powers open source, and excited that this model builds on the research collaboration between GitHub, Harvard University, and the Linux Foundation and the OpenSSF community. We look forward to the positive impact on open source sustainability and security.

- Hilary Carter, SVP Research // Linux Foundation, and Christopher Robinson, Chief Architect of OpenSSF // Linux Foundation

Supporting a future for 1 billion developers

This is the beginning of a journey into helping find ways to secure open source. On its own, it’s not the answer, but we are confident it will help. We will be monitoring the impact of these investments and share what we learn as we go.

Join us in investing and building a safer, more secure open source ecosystem. Our hope is that new programs like the GitHub Secure Open Source Fund empower a healthier, more diverse and more secure open source ecosystem for all by encouraging a culture of proactive security and also helping organizations show the value to their stakeholders in investing in open source security. If you are providing financial investment, promoting secure open source practices, sharing your expertise, or advocating for secure practices, we can all help build a stronger, more resilient open source community—together.

Written by

Related posts