GitHub launches fund to help open source projects improve security

$10,000 up for grabs for eligible projects

GitHub has launched an initiative aimed at enhancing trust and security in open-source software.

The GitHub Secure Open Source Fund, part of its Accelerator programme, is providing $1.25M in funding to 125 projects, backed through the support of American Express, Microsoft, Stripe, Shopify, 1Password and others. It seeks to improve the security and sustainability of open source projects by providing financial support, security education and community engagement.

Maintainers of open-source projects can apply for the programme, which offers $10,000 in funding per project, along with a three-week educational programme and various benefits. Applications for the fund are open until 7th January 2025.

"Talking with maintainers, foundations and other companies like ourselves, we wanted to create a different way to help," said VP of developer relations Martin Woodward in a blog post.

"The goal is to improve security for projects in a way that scales, by building a security-minded community of maintainers and funders with shared objectives. The community stands to benefit with reduced security risk, visibility and insights on project security status, and consistent reporting."

The move comes as many regulators are looking critically at the software supply chain, where widely used but poorly maintained open source projects are a weak point. New policies and regulations such as Secure by Design and the EU Cyber Resilience Act require organisations to improve their due diligence over the software they use.

The scheme builds on GitHub Sponsors, an initiative to help fund open source contributors which allows individuals and companies to donate to projects or maintainers.

"We see this programme as an exciting win-win: getting money directly into the hands of FOSS developers, while enabling critical security improvements in software that benefits everyone," said Hilary Packer, American Express CTO, on the blog.

The funding of open source software is a live and urgent issue. Among several initiatives, industry veteran Bruce Perens is promoting the creation of third-party, nonprofit companies to distribute funds to developers and maintainers based on contributions.

Earlier this year, GitHub's VP of communities, Stormy Peters, told Computing the company wants to target the projects that really matter, so that maintainers and developers of vital software can focus on what they are good at, rather than having to be part-time fundraisers.

"We're aiming at letting them work on their software and make a living off of it." she said. "We want to tie it to dependencies or some kind of norm or usage."

A recent survey by GitHub, the Linux Foundation and researchers from Harvard University found that organisations invest around $7.7 billion annually in open source software, the majority being in the form of employee and contractor contributions.

However, it found that there is a lack of clarity around these contributions, and security efforts often focus on bug fixes and maintenance rather than comprehensive audits.