Open source maintainers do significantly more security and maintenance work than unpaid maintainers, yet 60% of all maintainers remain unpaid, according to the 2024 State of Open Maintainer report from Tidelift.

“The health and security of our global software infrastructure depends on open source maintainers,” Donald Fischer, co-founder and CEO, Tidelift, said in an announcement of the report. “Paying maintainers improves their ability to ensure their projects meet the stringent security requirements that enterprise users require. These survey results show that organizations can positively impact their own security by funding the important work of the open source maintainers whose projects they rely on.”

Among the report’s key findings are that 16% of the 400 respondents to a Tidelift survey identified as unpaid hobbyists and would not want to get paid, while 44% of those unpaid said they would appreciate getting paid. The report noted concern that the percentage of maintainers getting paid for their work hasn’t changed, even with organizations placing a greater focus on software supply chain security.

Maintainers who are paid get their income through donation programs, employers and Tidelift, which did the survey.

About half of the maintainers surveyed said they are underappreciated, and 43% of them said it adds stress to their lives. Not surprisingly, 60% of maintainers have either quit or considered quitting the maintenance work.

One area that has seen growth is in the percentage of maintainers aware of such things as the OpenSSF Scorecard project, the NIST Secure Software Development Framework and the SLSA framework, with the percentage of those unaware of such standards and initiatives decreasing from 52% in 2023 to 40% this year, according to the report.

In light of the XZ Utils hack, two-third of respondents said they are less trusting of pull requests from non-maintainers, but only 37% reported they are less trusting of co-maintainer contributions. According to the report, one maintainer wrote in response to this question:  “I feel the need to add a layer of vetting, but adding any additional layer of friction to a possible open source contributor would just scare them away. I cannot afford to be pushing people away.”

When it comes to AI-based coding tools, maintainers expressed concern, with 45% saying these tools withh have a somewhat negative or negative impact on their work, and 64% saying they’d be less likely to accept contributions they knew were creating using AI. The report found that younger maintainers are more likely to use AI-based tools than their senior counterparts.

You can read the full report here.