Perhaps the most important function of the CFO is to control spending. Do whatever you can to make sure the amount of money coming in is greater than the amount going out. So If someone proposes a significant investment, they’ve got a high bar to pass. And if they’re pitching a voluntary investment, one with no immediate, tangible ROI? The bar is in the stratosphere. The concept of paying for Open Source software, which is essentially free, is one such pitch to CFOs that is more likely to be met with laughter than affirmation. But Open Source isn’t free; the cost is liability. After many years of denying my knee-jerk CFO reflexes, I’ve come around to this fact, and I’d like to help convince my industry counterparts that it’s good business to support Open Source.
Open Source software projects are the foundation of nearly every modern business: 96% of commercial software includes Open Source components. That foundation is at risk of crumbling. Most people are unaware that underfunded volunteers maintain Open Source and are under increasing pressure to do more with less.
Adding Open Source investment to the budget protects a company’s bottom line and minimizes security risk. Enterprises realize the collective benefits of Open Source software, and it’s time we collectively support this fragile, essential ecosystem.
A multi-trillion dollar ecosystem built by unpaid volunteers
Modern business wouldn’t exist without Open Source software. It’s an underappreciated building block of the digital economy, with a staggering financial footprint of $8.8 trillion (the cost if every company had to rewrite the Open Source code they use from scratch).
In stark contrast to this financial impact, the people who maintain Open Source are mostly volunteers who are paid very little if at all, and under pressure to do even more as security demands increase. The maintainer population is also shrinking as it ages, with few young people replacing those who step away.
Burnout is common among this group, who carry the weight of responsibilities at their day jobs in addition to keeping the Open Source ecosystem running. This leaves software susceptible to security vulnerabilities that could be catastrophic. As CFOs, we’d never be comfortable leaving mission-critical business functions in the hands of underpaid, overworked volunteers. Yet that’s what most companies do with Open Source.
Recent Open Source security vulnerabilities like Heartbleed, or more recently XZ Utils, have cost companies millions or even billions of dollars. Companies can’t predict when these situations will happen, but when they do, they are completely exposed. These incidents are becoming increasingly common and will worsen if the Open Source maintainer community dwindles.
Investing in Open Source protects the bottom line
Instead of waiting for the next costly security vulnerability, CFOs should consider how they can support the Open Source projects they rely on most.
Paying Open Source maintainers directly mitigates costly risks: Paid maintainers are more diligent about security practices. Financial incentives could also future-proof Open Source by attracting more young developers to become maintainers.
To get a sense of your company’s dependence on Open Source, start the conversation with the executive leadership stakeholders who build and secure products. Then, include backing your dependency stack as an initiative in the next annual or quarterly planning processes, just like you would to analyze any investment decision. This due diligence will help build the momentum to get buy-in from the board and any other key stakeholders. You’ll need internal conviction that this is the right thing to do; the good news is you’ll likely get nothing but support from your technical colleagues in engineering and security.
Once you have internal buy in, there’s the matter of distributing funds. A stakeholder from the product or development team should lead this effort. The best platforms for distribution are GitHub Sponsors, Open Collective, and thanks.dev. Asking your employees to crowdsource a list of their favorite projects, or even giving them a stipend, is another great way to source recipients and to build morale with the engineering team in the process.
Sentry has always supported the Open Source community—we started life as an Open Source project. Four years ago, we formalized our financial support for Open Source software maintainers and last year, we launched the Open Source Pledge to recruit other companies to join us. 30 have already answered the call and committed to directly pay Open Source maintainers $2,000 per year per full-time developer on their company’s payroll.
As more companies commit financial support to Open Source software, we’ll collectively feel the positive impacts of a stable, reliable ecosystem. Making this kind of commitment is good for business in other ways, too. For example, it can benefit recruitment since a growing number of employees want to work for purpose-driven companies.
The risk mitigation and recruitment benefits of supporting Open Source apply to all enterprises, but if your company’s primary customers are developers, it should be a no-brainer. Contributing to Open Source is an incredible opportunity for brand marketing to a demographic that notoriously hates being marketed to. Universally, developers love Open Source. They know how fundamental it is not only in their day-to-day work, but to the underpinnings of the internet and the global economy.
Paying our dues
Companies in every industry–not just technology–have benefited from Open Source maintainers’ work for years without paying them. Unless we all start investing now, the check will come due in the form of costly security vulnerabilities and a weakening Open Source infrastructure.
Paying Open Source maintainers isn’t charity. It’s a smart financial investment to bolster a system that nearly every modern business relies on.