Announcing GitHub Secure Open Source Fund: Help secure the open source ecosystem for everyone

Today we are announcing the call Applicant for the GitHub Secure Open Source Fund, a program to financially and programmatically improve the security and sustainability of open source projects. Applications are open on a rolling basis until they close on January 7 at 11:59 p.m. PT.

We’re launching with $1.25 million to invest in 125 projects, supported by the kind support of Alfred P. Sloan Foundation, American Express, Chainguard, HeroDevs, Kraken, Mayfield Fund, Microsoft, 1Password, Shopify, Stripe , Superbloom, Vercel, Zerodha and others. We will continue to do so beyond today’s launch Keep accepting partners by joining our mission to fund open source security. And beyond just financial support, the three-week program provides caregivers with safety training, mentoring, tools, certifications and more. A full explanation of program eligibility and benefits is provided below.

For the people who run much of the open source on which the world depends today, security is important, but it is often difficult to manage it alongside all the other work that goes into running a popular open source project. to prioritize. Even more while New research shows As companies invest billions of dollars in open source, cybersecurity audits are not a priority for companies. Nobody wants their open source project to be the source of security problems for users, but it takes time to stay on top of everything, process security reports, and issue fixes. And that’s often the hardest thing to find when you’re already overseeing the project in your free time.

By talking to carers, foundations and other companies like us, we wanted to create a different kind of help. For some caregivers, the opportunity to receive funding would help them free up more time to focus on safety. For others, it’s the insights, experts and community that can help. Building on insights from other open source funders and community-focused security practices, the GitHub Secure Open Source Fund is the first cohort-based program of its kind linked to funding. The goal is to improve the security of projects in a scalable manner by building a security-focused community of maintainers and funders with shared goals. The community benefits from reduced security risk, transparency and insight into the project’s security status, and consistent reporting.

We take an ecosystem approach because we believe a dependency graph is more than just connected software. It is the people who make the success and sustainability of open source. We invest in security because it is critical to the global software ecosystem and critical to compliance for many organizations Safe by design and the EU law on cyber resilienceand for long-term sustainability.

Program Eligibility and Benefits

GitHub offers security training, collaboration with experts, community support, advertising, and semi-annual security health reports. Maintainers learn hands-on security principles and tools like GitHub Copilot and Copilot Autofix to improve security posture, reduce security debt, and increase downstream user trust. All funding goes directly to the caregivers GitHub Sponsors. Anyone who is currently a maintainer of an open source project with a valid open source license and is located in one of the supported regions GitHub Sponsors can apply.

Overall, participants receive:

• Financing: $10,000 per project in funding aligned with program milestones and checkpoints,
• Education: 3-week program consisting of a 5-10 hour engagement per week with a mix of one-on-one meetings, classes, workshops, group sessions, project work and mentoring. The projects also specifically work towards project-specific security milestones that are agreed between the project, the program managers and the GitHub Security Lab.
• Check-ins: 6-month and 12-month checkpoints following training
• Office hours with GitHub Security: dedicated time with the GitHub Security Lab Team to establish effective security policies and best practices for incident management planning and support.
• Engagement: Q&A with GitHub Sponsors funders, community members, and GitHub executives.
• Expertise: Access to security experts from the GitHub Security Lab, Q&A with funders from GitHub Sponsors, community members, and GitHub executives.
• Tools: Free access and training for relevant GitHub products, including tools like GitHub Copilot, Copilot Autofix, and Secret Scanning.
• Community: Access to the new GitHub Secure Open Source community.
• Alumni support: Ongoing networking and support opportunities from GitHub.
• Political education: Preparing projects to control policies such as Safe by design and the EU law on cyber resilience.
• Certification and health reports: Program certification and semi-annual security audits.

Understanding the state of open source funding in 2024

GitHub wouldn’t be GitHub without its community of developers, partners and customers. Through GitHub Sponsors, we’ve already seen the impact organizations have when they invest in their open source dependencies – be it in general Dependency support, bring new ideas to life or Creating full-time careers. Since the introduction of support for organizations by GitHub Sponsorsmore than 5,800 organizations including Microsoft And stripeshave invested in maintainers and projects on GitHub, almost 40% more than last year. In total, the platform has unlocked over $60 million in funding for caregivers to spend more time working on their projects.

But we know we’re only scratching the surface when it comes to organizations and companies supporting open source. We worked with him this summer Linux Foundation and researchers Harvard Innovation Science Laboratory (LISH) to learn more about the current state of open source funding. We assessed organizations’ funding behavior, potential misalignments and opportunities for improvement. In the Report published todaywe found the following:

• Responding organizations invest $1.7 billion in open source annually, which can be extrapolated to estimate that approximately $7.7 billion is invested annually in the entire open source ecosystem.
• 86% of the investments come in the form of labor contributions from employees and contractors of the funding organization, the remaining 14% are direct financial contributions.
• Organizations generally know how and where they contribute (65%), but lack concrete clarity about their contributions (38%).
• Security efforts focus on bugs and maintenance. Only a few (6%) said comprehensive security reviews are a priority.

We will all benefit from more funding being allocated to open source. By addressing issues like open source security as an ecosystem, we believe we can help create more available funding and resources that are critical to the sustainability of open source. Not every open source project or open source maintainer has access to security funding and training. That’s why we have created a fund that any potential recipient can apply for. For some, receiving training, tools, mentorship and financial support can be a game-changer as it allows them to invest time in improving the security of their project. We are encouraged by the work of other organizations, projects and communities shaping the ecosystem. In addition, ecosystem partners such as CURIOUSS, Ecosyste.ms, Laboratory for Innovation Science at Harvard, Mozilla Foundation, OpenForum Europe, OpenJS, OpenSSF, Open Source Initiative, Open Technology Fund, Open Source Collective, Sovereign Tech Agency and Sustain OSS and others We have us committed and contributed with input, feedback and ideas to bring this idea to life.

Supporting a future for 1 billion developers

Join us in investing and building a more secure open source ecosystem. We hope new programs like the GitHub Secure Open Source Fund enable a healthier, more diverse, and more secure open source ecosystem for everyone by fostering a culture of proactive security and helping organizations demonstrate the value of investing in open source to their stakeholders -To clarify security. By making financial investments, promoting secure open source practices, sharing your expertise, or advocating for secure practices, together we can all help build a stronger, more resilient open source community.