GitHub launches AUD $1.91m fund for open source security

The GitHub Secure Open Source Fund has been established to allocate AUD $1.91 million (USD $1.25 million) across 125 open source projects with the aim to enhance security and sustainability in the open source ecosystem.

Initiated with the backing of companies including American Express, Zerodha, and others, the fund will not only provide financial support but also offer security education, mentorship, and other resources to maintainers. Applications for this programme are currently open until 7 January, with programming and funding to commence in early 2025.

The programme seeks to alleviate the challenges maintainers face when managing open source projects, especially concerning security issues. Many maintainers struggle with prioritising security due to time constraints and the voluntary nature of their contributions. "For the people that maintain much of the open source that the world depends on today, security is important but also often difficult to prioritise amongst all the other work needed when running a popular open source project," the fund explains.

GitHub emphasises that this initiative aims to create a security-minded community of maintainers and funders with shared objectives. The programme is structured to include a three-week educational course, hands-on training, and security assessments, to be conducted at 6-month and 12-month intervals.

Hilary Packer, Chief Technology Officer at American Express, expressed, "Open source helps American Express provide the world's best customer experience every day by allowing our developers to innovate, collaborate, and share. The security of open source software has long been a priority for our company. We are proud to back this important program that aims to improve security in a scalable way and help support open source maintainers to implement secure software."

Dr. Kailash Nadh, CTO of Zerodha, also spoke on their involvement: "We are committing to the GitHub Secure Open Source Fund in alignment with our long-standing commitment to the FOSS ecosystem, from which we benefit immensely. We see this program as an exciting win-win: getting money directly into the hands of FOSS developers, while enabling critical security improvements in software that benefits everyone."

The programme is open to current maintainers of open source projects with valid licenses located in GitHub Sponsors' supported regions. A range of tools including GitHub Copilot and Copilot Autofix will be made available to participants, alongside tailored security education, mentorship, and community engagement.

The announcement of this fund coincides with the release of the 2024 OSS Funding Survey, a joint effort by GitHub, the Linux Foundation, and Harvard researchers. The report highlights existing funding dynamics, noting that organisations invest an estimated USD $7.7 billion in open source annually, predominantly through employee labour rather than direct financial contributions.

Hilary Carter, SVP Research at the Linux Foundation, and Christopher Robinson, Chief Architect of OpenSSF // Linux Foundation, shared a joint statement: "We are excited that the GitHub Secure Open Source Fund will apply learnings from our OpenSSF community by directly engaging with critical projects and developers to help improve the security posture of their software and communities. We've long understood that people are the engine that powers open source, and excited that this model builds on the research collaboration between GitHub, Harvard University, and the Linux Foundation and the OpenSSF community. We look forward to the positive impact on open source sustainability and security."

This initiative strives to foster a more secure open source ecosystem through various support mechanisms, with the broader goal of cultivating a proactive culture in software security, thereby demonstrating the significance of investing in open source security to stakeholders.