Open source developers spend less than three percent of their time on security
The latest FOSS (Free and Open Source Software) contributor survey from the Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard shows respondents spend on average, just 2.27 percent of their total time on security and express little desire to increase that time.
The survey of almost 1,200 respondents working on FOSS software shows the majority of respondents (74.87 percent) are already employed full-time and more than half (51.65 percent) are specifically paid to develop FOSS.
Motivations to contribute to open source software are focused on adding a needed feature or fix, enjoyment of learning and fulfilling a need for creative or enjoyable work. The percentage of respondents that are paid by their employer to contribute to FOSS, suggests strong support for the stability and sustainability of open source projects but calls into question what could happen if corporate interest in a project diminishes or ceases.
Of the respondents 45.45 percent say they are free to contribute to FOSS without asking permission, compared to only 35.84 percent a decade ago. However, 17.48 percent of respondents say their companies have unclear policies on whether they can contribute and 5.59 percent are unaware of what policies, if any, their employer has.
"Understanding open source contributor behaviors, especially as they relate to security, can inform how we apply resources and attention to the world's most-used software," says David Wheeler, director of open source supply chain security at the Linux Foundation. "It is clear from the 2020 findings that we have work to do to ensure we staff across the community for security and to enable individuals to confidently contribute to open source software."