30.4: Government Funding and Public-Private Partnerships¶

Open source software is critical infrastructure. Governments rely on it for defense systems, healthcare administration, financial regulation, and countless other essential functions. When Log4Shell was discovered, government agencies worldwide scrambled to assess exposure in systems they often didn't fully understand. The realization that volunteer-maintained software underpinned government operations prompted a fundamental question: if open source is public infrastructure, should public funds support its security?

Governments are increasingly answering yes. Germany's Sovereign Tech Fund invests millions of euros in open source infrastructure. CISA has launched dedicated open source security initiatives. The European Union funds open source security through multiple programs. These investments acknowledge what market failure economics predicts: public goods require public investment. Yet government involvement in open source raises legitimate concerns about independence, governance, and the potential for security support to become security influence. Designing effective public-private partnerships requires balancing investment benefits against these risks.

Sovereign Tech Funds¶

Sovereign Tech Fund (Germany):

Germany's Sovereign Tech Fund (STF), launched in 2022, represents the most ambitious government investment specifically dedicated to open source infrastructure. Funded by the German Federal Ministry for Economic Affairs and Climate Action, the STF invests in "digital infrastructure that society relies on."

Program structure:

• Multi-million euro annual investment (€3.5 million initial allocation in 2022, growing to €11.5 million in 2023 and €17 million in 2024)¹
• Direct funding to open source projects and maintainers
• Focus on foundational infrastructure used broadly, not just by German government
• Independent governance through the Sovereign Tech Agency

Funded projects include:

• curl: The ubiquitous data transfer library
• OpenSSH: Secure shell protocol implementation
• Log4j: Following the Log4Shell crisis
• WireGuard: Modern VPN protocol
• Fortran: Continued development of scientific computing language
• Numerous additional infrastructure projects

Investment approach:

STF takes a distinctive approach:

• No strings attached: Projects receive funding without government control requirements
• Maintainer-directed: Funds are controlled by maintainers, not government
• Infrastructure focus: Prioritizes foundational software over applications
• Long-term commitment: Multi-year funding provides sustainability

The STF aims to "sustainably strengthen the open source ecosystem" and support "open digital infrastructure"—recognizing that critical infrastructure requires investment, not just reliance on volunteer efforts.

Model significance:

The STF model demonstrates:

• Government can fund open source without controlling it
• Public investment addresses market failures private investment cannot
• Digital infrastructure merits the same public investment as physical infrastructure
• Relatively modest investment (by government standards) produces significant impact

Replication potential:

Other governments considering similar funds can learn from STF:

• Governance structure that maintains independence
• Selection criteria balancing impact with need
• Administrative efficiency avoiding bureaucratic overhead
• Transparency in funding decisions and outcomes

U.S. Government Initiatives¶

The United States has taken a different approach, emphasizing coordination, standards, and public-private partnership rather than direct funding for open source projects.

CISA Open Source Security:

The Cybersecurity and Infrastructure Security Agency (CISA) has launched multiple open source security initiatives:

Open Source Software Security Roadmap (2023):

CISA's roadmap establishes strategic priorities:

1. Establishing CISA's role in open source security
2. Driving visibility into open source use and risks
3. Reducing security risks in open source software
4. Hardening the open source ecosystem

Key initiatives include:

• SBOM adoption: Driving software bill of materials implementation
• Secure by Design: Incorporating open source in secure development guidance
• OSS-SBOM coordination: Working with package registries on SBOM integration
• Vulnerability coordination: Improving CVE processes for open source

Funding approach:

Unlike Germany's direct investment model, U.S. government support flows through:

• OpenSSF participation: Federal agencies participate in OpenSSF working groups
• Research funding: NSF, DARPA fund security research affecting open source
• Procurement requirements: Security requirements in federal procurement indirectly drive investment
• Standards development: NIST frameworks become de facto requirements

Executive Order 14028:

The May 12, 2021 executive order on improving cybersecurity created obligations affecting open source:

• SBOM requirements for software sold to government
• Secure development attestation requirements
• Vulnerability disclosure requirements

While not direct funding, these requirements create market incentives for security investment in open source used by federal contractors.

Potential direct funding:

Policy discussions increasingly consider direct U.S. government funding for critical open source:

• Proposals for American Sovereign Tech Fund equivalents
• Bipartisan recognition of open source as infrastructure
• Budget discussions including open source security provisions

The trajectory points toward eventual direct U.S. government investment in open source security.

EU Funding Programs¶

The European Union funds open source security through multiple programs and mechanisms.

EU-FOSSA:

The EU Free and Open Source Software Auditing (EU-FOSSA) program funded security audits of open source software used by EU institutions:

• Multiple phases from 2015-2020
• EU-FOSSA 1 (2015-2016): Funded audits of KeePass and Apache HTTP Server
• EU-FOSSA 2 (2017): VLC Media Player audit
• EU-FOSSA 3 (2019-2020): Bug bounty programs for 14 projects including Apache Kafka, PuTTY, Notepad++, Filezilla, 7-Zip, and Drupal
• Identified and remediated numerous vulnerabilities

EU-FOSSA demonstrated EU appetite for direct investment in open source security, though as a limited-term program rather than ongoing commitment.

Horizon Europe:

The EU's Horizon Europe research framework includes cybersecurity focus areas relevant to open source:

• Research funding for security tooling
• Software security methodology development
• Supply chain security research
• Funding accessible to academic and industry researchers

Digital Europe Programme:

Digital Europe includes provisions supporting open source:

• Digital infrastructure investments
• Cybersecurity capacity building
• Interoperability and standards development

NGI (Next Generation Internet):

The NGI initiative funds open source through intermediary organizations:

• NLnet Foundation distributes grants to open source projects
• Security improvements as explicit funding priority
• Privacy-enhancing technology development
• Internet infrastructure resilience

NLnet has provided grants to hundreds of open source projects, with security work as a significant focus.

EU approach characteristics:

EU funding differs from the German STF model:

• More fragmented across programs
• Research orientation (especially Horizon)
• Audit focus (EU-FOSSA) rather than ongoing support
• Grant-based with significant administrative requirements

The EU CRA's regulatory approach complements funding by creating market incentives—commercial entities must invest in open source security to meet compliance requirements.

Public-Private Partnerships¶

Effective open source security investment often combines public and private resources through partnership structures.

OpenSSF as partnership model:

The Open Source Security Foundation exemplifies public-private partnership:

• Corporate members: Major technology companies provide primary funding
• Government participation: Federal agencies participate in working groups
• Foundation governance: Linux Foundation provides neutral governance
• Open development: All work products are publicly available

This model leverages corporate resources and government coordination without government control of outputs.

Alpha-Omega as funded partnership:

Alpha-Omega demonstrates partnership-funded security work:

• Corporate funding from Amazon Web Services (AWS), Google, and Microsoft
• Nearly $6 million in grants distributed in 2024
• Professional security engineers working with projects
• Foundation governance through OpenSSF
• Direct security improvements to critical projects (10 major organizations in 2024)

Government could expand such models by contributing funding alongside corporate sponsors.

NIST collaboration:

NIST's framework development involves extensive partnership:

• Public comment on draft frameworks
• Industry and academic input
• Open standards development process
• Frameworks become referenced in regulation

NIST's SSDF, SBOM guidance, and other outputs shape industry practice through collaborative development.

Partnership design elements:

Effective public-private partnerships share characteristics:

National Security Agency Involvement¶

National security agencies—including the U.S. National Security Agency (NSA), UK Government Communications Headquarters (GCHQ), and equivalents elsewhere—have legitimate interests in open source security. They also raise legitimate concerns.

Security contributions:

Security agencies contribute to open source:

• Security guidance: NSA publishes security hardening guides for open source platforms
• Vulnerability research: Agency researchers find and report vulnerabilities
• Standards participation: Agencies contribute to cryptographic standards
• Tool development: Some security tools released as open source (e.g., NSA's Ghidra, released March 2019)

Community concerns:

Agency involvement raises concerns:

• Backdoor potential: Fear that contributions could introduce vulnerabilities
• Cryptographic standards: History of alleged weakening of standards (Dual_EC_DRBG controversy)
• Trust asymmetry: Agencies' intelligence missions conflict with transparency expectations
• Chilling effects: Agency involvement may discourage participation from privacy-focused contributors

Dual EC DRBG example:

The Dual Elliptic Curve Deterministic Random Bit Generator controversy illustrates concerns:

• NIST-standardized random number generator
• NSA promoted its inclusion in standards and products
• Later revealed to potentially contain NSA backdoor
• RSA Security reportedly received $10 million to make it default in products² (RSA categorically denied this characterization)
• Incident damaged trust in NSA cryptographic contributions

This history informs ongoing skepticism about agency involvement in open source security.

Managing agency involvement:

Communities navigate agency involvement through:

• Code review: All contributions undergo normal review regardless of source
• Cryptographic audits: Independent review of security-sensitive code
• Transparent governance: Public decision-making processes
• Separation: Distinguishing agency contributions from agency control

Agency contributions can be beneficial when subject to the same scrutiny as any other contribution.

Balancing Support with Independence¶

Government funding benefits must be balanced against independence concerns.

Independence risks:

Potential concerns include:

• Mission drift: Projects prioritizing funder interests over community needs
• Capture: Government influence over project direction
• Politicization: Open source becoming subject to political pressures
• Exclusion: Funding conditional on excluding certain contributors (sanctions, security concerns)

Governance safeguards:

Effective structures protect independence:

• Intermediary organizations: Foundations as buffers between government and projects
• No-strings funding: Support without control over project decisions
• Transparent criteria: Public, objective criteria for funding decisions
• Community control: Maintainers retain governance authority
• Multi-source funding: Avoiding dependence on single funder

STF approach:

The Sovereign Tech Fund's "invest and get out of the way" approach demonstrates how government can fund without controlling:

• Funding decisions made independently from government ministries
• No German government requirements on projects
• International projects funded without geographic restrictions
• Project governance unchanged by funding

OpenSSF approach:

OpenSSF governance includes government participation without government control:

• No government veto over technical decisions
• Working groups open to all participants
• Technical merit drives direction
• Government representatives participate as peers

These models demonstrate that government support need not compromise independence.

Effective Partnership Design¶

Designing effective public-private partnerships requires attention to structure, process, and safeguards.

Structural elements:

• Clear charter: Documented purpose, scope, and governance
• Balanced representation: No single stakeholder dominates
• Defined roles: Clear responsibilities for all parties
• Funding transparency: Public disclosure of contributions and allocations
• Exit provisions: How parties can leave without disruption

Process elements:

• Open decision-making: Transparent criteria and processes
• Technical merit focus: Decisions based on technical rather than political factors
• Community input: Mechanisms for broader community participation
• Regular review: Periodic assessment of partnership effectiveness
• Dispute resolution: Processes for addressing conflicts

Safeguards:

• Independence protection: Structural barriers to funder control
• No exclusive rights: Funded outputs available to all
• Audit rights: Verification of fund use
• Conflict of interest policies: Managing participant conflicts
• Continuity planning: Sustainability beyond current funding

Recommendations¶

We recommend the following approaches for government and project engagement:

For governments:

1. Invest in open source infrastructure through sovereign tech fund models
2. Design for independence: Fund without control, use intermediary organizations
3. Focus on foundational infrastructure with broad societal benefit
4. Provide multi-year commitments enabling project sustainability
5. Coordinate internationally to avoid duplication and ensure coverage
6. Separate funding from security agencies to maintain trust

For open source projects:

1. Engage with government funding opportunities where appropriate
2. Maintain governance independence regardless of funding source
3. Diversify funding to avoid dependence on single sources
4. Document funding transparently to maintain community trust
5. Evaluate alignment between funder interests and project mission
6. Preserve community control over technical direction

For foundations:

1. Serve as intermediaries between government funding and projects
2. Develop governance frameworks protecting project independence
3. Advocate for effective policy supporting open source security
4. Coordinate across initiatives to maximize impact
5. Monitor for capture and maintain independence safeguards
6. Report transparently on funding sources and allocation

For partnership designers:

1. Study existing models: STF, OpenSSF, and others provide templates
2. Engage all stakeholders in design process
3. Build in accountability without control
4. Plan for sustainability beyond initial funding
5. Document lessons learned to benefit future initiatives
6. Iterate based on experience as partnerships mature

Government investment in open source security is economically justified and increasingly recognized as necessary. The challenge is designing investment mechanisms that provide resources while preserving the independence and community governance that make open source valuable. The emerging models—from Germany's Sovereign Tech Fund to CISA's coordination initiatives to EU funding programs—provide templates for effective public-private partnership that other governments can adapt to their contexts.