24.6 Accessing Resources and Support¶

Maintaining open source software is often unpaid work with high expectations. Yet critical infrastructure depends on projects maintained by individuals or small teams with limited resources. The good news is that the ecosystem increasingly recognizes this unsustainability—and resources exist to help. Funding programs, security tools, mentorship networks, and foundation support can provide maintainers with help they need to improve security without bearing all costs themselves.

Many maintainers don't know these resources exist, or assume they're only for large projects. In reality, programs range from automated tools anyone can use to significant funding for critical projects to community mentorship open to all. This section catalogs available resources and provides guidance on accessing them.

OpenSSF Programs¶

The Open Source Security Foundation (OpenSSF) coordinates industry efforts to improve open source security. Several programs directly support maintainers.

OpenSSF program descriptions and eligibility:

Alpha-Omega Project:

Alpha-Omega provides funding and security expertise to improve security of critical open source projects.

Aspect	Details
Focus	Most critical open source projects (Alpha) and long-tail ecosystem improvements (Omega)
Support provided	Direct funding, security expertise, staffing support
Eligibility	Critical projects identified through analysis; projects can express interest
How to engage	Contact Alpha-Omega through OpenSSF; participate in OpenSSF working groups

In 2024, Alpha-Omega distributed nearly $6 million in grants to critical projects.¹ Supported projects include Python Software Foundation (dedicated security positions), OpenJS Foundation (Node.js and broader JavaScript ecosystem security), Ruby Central (RubyGems security), FreeBSD Foundation, Rust Foundation, Linux kernel, and Homebrew. The program helps staff security teams at major organizations and funds ecosystem-wide initiatives like malicious package detection, security audits, and infrastructure hardening.

Scorecard:

Scorecard automatically assesses open source project security practices and provides actionable improvement suggestions.

Aspect	Details
What it does	Evaluates projects against security best practices (branch protection, CI tests, dependency updates, etc.)
Cost	Free
How to use	Visit scorecard.dev, enter your repository URL
GitHub integration	Scorecard Action runs checks automatically on your repository

# .github/workflows/scorecard.yml
name: Scorecard analysis
on:
  schedule:
    - cron: '0 6 * * 0'  # Weekly
  push:
    branches: [ main ]

jobs:
  analysis:
    runs-on: ubuntu-latest
    steps:
      - uses: ossf/scorecard-action@v2
        with:
          results_file: results.sarif
          publish_results: true

Scorecard results help you identify and prioritize security improvements. Many organizations use Scorecard ratings when evaluating dependencies.

Allstar:

Allstar automatically enforces security best practices on GitHub repositories.

Aspect	Details
What it does	Monitors repositories and opens issues or PRs to fix security configuration problems
Policies	Branch protection, security policy presence, dangerous workflows, binary artifacts
Cost	Free
How to enable	Install the Allstar GitHub App on your organization/repositories

Allstar is particularly useful for organizations managing multiple repositories, ensuring consistent security configuration.

Other OpenSSF resources:

OpenSSF Best Practices Badge: Self-certification showing your project follows security best practices
Package Analysis: Automated analysis of packages for malicious behavior
Security Insights: Standard format for publishing security information
OpenSSF Training: Free security training courses

Internship and Student Programs¶

Student programs provide projects with contributors while giving students meaningful experience.

GSoC and internship opportunities:

Google Summer of Code (GSoC):

Aspect	Details
What it is	Paid summer internships for students contributing to open source
For maintainers	Apply as mentoring organization; propose projects needing work
Timeline	Organizations apply January-February; students apply March-April
Security focus	Security improvements are appropriate project ideas
Resources	Google provides stipends; you provide mentorship

How to participate as a mentoring organization:

Apply during organization application period (January-February)
Propose specific project ideas, including security improvements
Identify mentors willing to guide students
If accepted, review and select student applications
Mentor students through the summer

Linux Foundation Mentorship:

Aspect	Details
What it is	Year-round mentorship program for open source projects
Benefits	Stipends for mentees, structured program
Security focus	Security-focused mentorships are encouraged
How to apply	Projects apply through LFX Mentorship platform

Other student programs:

Outreachy: Internships for underrepresented groups in tech
MLH Fellowship: Programs that can include open source contribution
University partnerships: Many universities seek capstone projects; security improvements make good projects

Sovereign Tech Funds¶

Government-backed funds increasingly recognize open source as critical infrastructure and provide direct funding.

Sovereign tech fund overview:

Sovereign Tech Fund (Germany):

The Sovereign Tech Fund (STF) is a German government initiative funding open source infrastructure.

Aspect	Details
Focus	Digital infrastructure used by governments and society
Funding	Direct grants for development and maintenance
Eligibility	Open source projects, particularly infrastructure; maintainers can apply
Security work	Security audits, improvements explicitly supported
How to apply	Rolling applications through STF website

STF has funded security work on projects including curl, OpenSSL, and numerous others. Funding can cover maintainer time, security audits, infrastructure costs.

Other government programs:

Program	Country	Focus
NGI (Next Generation Internet)	EU	Internet technology, including security (check current funding status)
NLnet Foundation	Netherlands	Open technology, privacy, security
Mozilla Technology Fund	Mozilla Foundation	Open technology and internet health (MOSS on indefinite hiatus)
Various SBIR/STTR	US	Research grants that can fund open source security

Application guidance:

Government funds typically want: - Clear description of the project and its importance - Specific work plan with deliverables - Budget justification - Explanation of public benefit - Maintenance plan beyond the grant period

Security improvements (audits, fixing vulnerabilities, implementing security features) align well with fund objectives.

Corporate Sponsorship and Support¶

Many companies that depend on open source provide funding and support to projects they use.

Corporate sponsorship landscape:

GitHub Sponsors:

Aspect	Details
What it is	Monthly sponsorships from individuals and companies
For maintainers	Enable sponsors on your profile; set up tiers
Best practices	Describe what sponsorship supports; offer recognition
Tax implications	Treated as income in most jurisdictions

Open Collective:

Aspect	Details
What it is	Fiscal hosting and transparent fundraising
Benefits	Handles accounting, taxes, receipts; transparent finance
For projects	Create collective; accept donations; manage expenses
Host options	Open Source Collective (OSC) hosts many projects

Corporate OSPO programs:

Many companies with Open Source Program Offices (OSPOs) directly fund projects:

Company	Program
Google	Open Source Security Team funding, GOSST
Microsoft	FOSS Fund, direct sponsorships
Amazon	Open source sponsorships
Tidelift	Pays maintainers for maintenance commitments
Thanks.dev	Routes funds to dependencies
Stackaid	Distributes funding across dependency tree

How to attract corporate sponsorship:

Make it easy: Enable GitHub Sponsors, Open Collective, or similar
Be visible: Clear documentation of who maintains the project
Show impact: Download counts, dependent projects, users
Communicate needs: Blog about what funding would enable
Offer recognition: Sponsor logos in README, website

Maintainers who enable sponsorship mechanisms and communicate their funding needs often find that corporate sponsorships increase. Companies want to support projects they depend on—they just need to know how.

Foundation Resources¶

Software foundations provide infrastructure, legal protection, and support for member projects.

Foundation support (Apache, Linux Foundation, etc.):

Apache Software Foundation (ASF):

Aspect	Details
What they provide	Infrastructure, legal protection, governance
Security resources	Security team, vulnerability handling process
Eligibility	Projects must go through incubation process
Cost	Free (foundation is nonprofit)

Linux Foundation:

Aspect	Details
What they provide	Infrastructure, marketing, governance support
Security resources	OpenSSF affiliation, security audits for some projects
Programs	Various umbrella projects (CNCF, OpenJS, etc.)
Cost	Varies by program

Eclipse Foundation:

Aspect	Details
What they provide	Infrastructure, legal protection, governance
Security resources	Security team, coordinated disclosure
Eligibility	Projects join through proposal process

Other foundations:

Python Software Foundation (PSF): Supports Python ecosystem
OpenJS Foundation: JavaScript ecosystem projects
Rust Foundation: Rust language and ecosystem
FreeBSD Foundation: FreeBSD and related projects

Benefits of foundation membership:

Infrastructure (hosting, CI/CD, mirrors)
Legal protection (trademark, liability)
Governance frameworks
Visibility and credibility
Security resources and coordination
Funding opportunities

Considerations:

Foundations have governance requirements
Project may need to transfer trademarks
Decisions may require community consensus processes
Not all projects fit foundation models

Community Support Networks and Mentorship¶

Beyond formal programs, community networks provide peer support, mentorship, and knowledge sharing.

Community mentorship programs:

Informal mentorship:

Connect with experienced maintainers in your ecosystem
Join maintainer-focused communities and events
Ask for advice in community channels
Offer to mentor others once you have experience

Where to find community support:

Resource	Description
Maintainer Community	GitHub's community for maintainers
Sustain OSS	Community focused on sustaining open source
Ecosystem-specific communities	Node.js, Python, Rust, etc. have maintainer groups
Conference hallway tracks	In-person connections at OSS conferences
Regional meetups	Local open source gatherings

Sustainability-focused communities:

Sustain Podcast: Interviews about open source sustainability
Open Source Collective: Community around OSC-hosted projects
LFX Mentorship: Linux Foundation mentorship and funding platform

Security-specific support:

OpenSSF Slack: Community discussions on security
OWASP Chapters: Local security communities
Security conference communities: Connections made at security events

Application and Eligibility Guidance¶

Navigating funding and support programs can be confusing. Here's general guidance:

For small projects seeking initial support:

Enable GitHub Sponsors and/or Open Collective
Run Scorecard and work toward passing badge criteria
Apply to relevant ecosystem-specific programs
Participate in community events to build visibility

For critical infrastructure projects seeking significant support:

Document your project's importance (users, dependents, infrastructure role)
Apply to Alpha-Omega or similar critical infrastructure programs
Apply to Sovereign Tech Fund or NLnet
Engage with foundations relevant to your ecosystem
Pursue corporate partnerships with companies that depend on your project

Application tips:

Be specific: Vague requests get vague responses
Show impact: Numbers, users, dependent projects
Describe what you'll do: Specific deliverables and timelines
Explain sustainability: How will work continue after funding ends?
Follow up: Applications sometimes need persistent follow-up

What funders want to see:

Factor	Why It Matters
Clear project governance	Shows the project is stable and accountable
Active maintenance	Evidence the project is alive
User/dependent count	Demonstrates impact
Security practices	Shows responsibility
Specific funding request	Easier to evaluate than open-ended asks

Recommendations¶

We recommend the following approaches to accessing resources and support:

Start with free tools: Scorecard, Allstar, and OpenSSF training require no application—just use them to improve your project's security.
Enable sponsorship mechanisms: GitHub Sponsors and Open Collective make it easy for users and companies to support you. You might be surprised who contributes.
Apply to relevant programs: Don't assume you're not eligible. Programs like Sovereign Tech Fund specifically want to support maintainers, not just large projects.
Join foundation communities: Even if your project isn't a member, foundation communities provide valuable connections and resources.
Document your project's impact: Numbers help make the case for support. Track downloads, dependents, and users.
Connect with peers: Other maintainers face similar challenges and can share what's worked for them. Community support is valuable beyond funding.
Be persistent: Many programs have rolling applications or multiple cycles. If you're not accepted initially, improve and reapply.
Give back when you can: As you receive support, help others. Mentor new maintainers, contribute to ecosystem security initiatives, share what you've learned.

Resources exist because the industry recognizes that open source sustainability matters. You don't have to maintain critical infrastructure alone and unfunded. Accessing available support improves your project's security, your personal sustainability, and the health of the open source ecosystem.

OpenSSF Alpha-Omega Project, "2024 Impact Report," OpenSSF, 2024, https://openssf.org/community/alpha-omega/; OpenSSF funding announcements throughout 2024. ↩