GitHub Announces New Open Source Fund with Security Mentoring

The GitHub Secure Open Source Fund launched this week with an initial commitment of $1.25 million, reports TechCrunch, using 'capital from contributors including American Express, 1Password, Shopify, Stripe, and GitHub's own parent company Microsoft.'

GitHub briefly teased the new initiative at its annual GitHub Universe developer conference last month, but Tuesday it announced full details and formally opened the program for applicants, which will be reviewed 'on a rolling basis' through the closing date of January 7, 2025, with programming and funding starting shortly after...

Tuesday's news builds on a number of previous GitHub initiatives designed to support project maintainers that work on key components of critical software, including GitHub Sponsors which landed in 2019 (and which is powering the new fund), but more directly the GitHub Accelerator program that launched its first cohort last year — the GitHub Secure Open Source Fund is essentially an extension of that.

'We're trying to acknowledge the fact that we're the home of open source, ultimately, and we have an obligation to help ensure that open source can continue to thrive and have the support that it needs,' GitHub Chief Operating Officer Kyle Daigle told TechCrunch in an interview. Qualifying projects can be pretty much any project that has an open source license, but of course GitHub will be looking at those that need the funds most — so Kubernetes can hold fire with its application. 'We're looking for the outsized impact, which tends to be big projects with few maintainers that we all rely on,' Daigle said.

The sum of $1.25 million might sound like a reasonable amount, but it will be split across 125 projects, which means just $10,000 each — better than nothing, for sure, but a drop in the ocean on the grand scheme of things. However, Daigle is quick to stress that money is only part of the prize here — as with the initial accelerator program, maintainers embark on a three-week program, which includes mentorship, certification, education workshops, and ongoing access to GitHub tools.

From GitHub's announcement:

Since introducing support for organizations through GitHub Sponsors, more than 5,800 organizations, including Microsoft and Stripe, have invested in maintainers and projects on GitHub, up nearly 40% YoY. Cumulatively, the platform has unlocked over $60 million in funding for maintainers to help them spend more time working on their projects.
But we know we're just scratching the surface when it comes to organizations and corporate support of open source. This summer, we partnered with the Linux Foundation and researchers from Laboratory for Innovation Science at Harvard (LISH) to learn more about the state of open source funding today. Diving in, we assessed organizations funding behaviors, potential misalignments, and opportunities to improve. In the report launched today, we found:

- Responding organizations annually invest $1.7 billion in open source, which can be extrapolated to estimate that approximately $7.7 billion is invested across the entire open source ecosystem annually.
- 86% of investment is in the form of contribution labor by employees and contractors working for the funding organization, with the remaining 14% being direct financial contributions.
- Organizations generally know how and where they contribute (65%) but lack specific clarity of their contributions (38%).
- Security efforts focus on bugs and maintenance; only a few (6%) said comprehensive security audits are a priority.
We all stand to benefit from unlocking more funding for open source. By tackling problems like open source security as an ecosystem, we believe we can help create more available funding and resources that are vital to the sustainability of open source. Not every open source project or maintainer has access to funding and training for security. That's why we created a fund that everyone potentially eligible can apply for...

This is the beginning of a journey into helping find ways to secure open source. On its own, it's not the answer, but we are confident it will help. We will be monitoring the impact of these investments and share what we learn as we go.

Read more of this story at Slashdot.