The Open Source Endowment promises a permanent funding fix for vital open source infrastructure, yet its slow‑drip investment approach raises questions about how much help will reach projects that need cash now.
There hasn’t been much in the news about Open Source Endowment since its big launch in late February, which maybe isn’t surprising given the slow-burn nature of the new organization’s plans for funding essential but underfunded software projects. What is surprising is that the PR gristmills haven’t been pumping out stories from big tech — and medium-sized tech trying to pass for big tech — bragging about contributing to the new forever fund.
In case you somehow missed the news, the new endowment is supposed to eventually be another savior for essential open source projects that are being maintained solely by dedicated volunteers, although there are already projects trying to address the issue. This includes the Linux Foundation, whose Alpha-Omega Project funds and helps harden a small number of critical underfunded projects.
There are other funding avenues as well. Funding essential open source projects that are being maintained strictly by volunteer developers became a priority more than a decade ago, after OpenSSL — the open-source library for encrypted network communications that’s used by nearly everybody, including most HTTPS websites — was found to have a serious vulnerability. The vulnerability, which had been unpatched and undiscovered for a couple of years, affected about 17% of the internet’s secure web servers.
That brought to the forefront an issue that open source security researchers had been trying to shine a light on for years: hundreds, maybe thousands, of essential projects were getting by with little to no funding. Then, as well as now, surveys consistently found that a majority of maintainers were unpaid, meaning that by necessity, software maintenance came after figuring out a way to keep the landlord satisfied and beans on the table.
Like OpenSSL, the affected projects aren’t flagship software brands with names that everyday computer users are liable to recognize, although they’re likely to be contained within software they use every day. However, they are part of the infrastructures that everyday users frequently depend on. This would include the software that runs or supports online banking, or the software used by utilities such as power and water.
Funding Projects that Need It
Since Heartbleed and other near misses (Apache Struts, anyone?), the Linux Foundation has picked up the reins, and with its Alpha-Omega project leads the way in funding critical projects that need it. However, while the Linux Foundation points with pride to the $5.8 million it spent last year funding 14 projects, that’s a mere drop in the bucket considering the foundation’s own literature mentions hundreds of thousands of widely used open source components with serious security and maintenance issues.
The foundation’s spending here seems to be paltry, a small fraction of what the organization should be able to raise and spend for the purpose. Consider this: the money that the Alpha-Omega project spent last year represents less than 2% of the Linux Foundation’s annual budget. Its members could likely be coerced into ponying up more, since most of them are dependent on software from projects in need of funds.
Some of these needy projects have been receiving funds directly from corporate users who’ve realized that taking without giving can come with the hidden expense of a costly breach due to an unknown security vulnerability. Not all projects are willing to take funds from corporate sources, however, as such funding could come with strings that down the road could be contrary to the project’s values.
An Endowment to the Rescue?
At first glance, Open Source Endowment looks like a gallant knight ready to rescue the distressed damsel. A little closer look and the organization’s plans seem like attempts to reinvent the wheel, as it doesn’t really bring anything to the table that the Linux Foundation isn’t already offering.
However, it does open another avenue for corporate users to help fund the maintenance of software they depend on. And since members are expected to contribute at least $1,000 monthly to the endowment, it brings something of a pay-for-what-you-use aspect, which is satisfying from a fairness perspective.
The endowment’s design also adds uncertainty about whether the funds it collects will ever get to the projects that need them, since funding will come from the endowment’s earnings. The principal — money contributed to the endowment — will remain intact. Only investment income will be disbursed.
This means that everything must go according to plan before, eventually, some money will go to fund projects.
If something goes wrong with the economy — say, an unexpected war in Iran that shuts down global oil supply, driving stock markets down; or a wave of defaulting unsecured home loans, putting the economy into a tailspin — the money won’t be forthcoming. Even in the best-case scenario, it’ll take a lot to fund a little.
For example, the project’s website shows that it currently has a nest egg of $752,000. If the market performs well this year and the organization sees a 10% return on its investment, a year from now there will be $75,200 in the bank to go to projects. However, an oil crisis, tariff war, or the like could throw a wrench into the machinery and lower the amount of funds available for disbursement.
Also, although it’s not spelled out, this probably means that if the principal declines this year, that money will have to be earned back before any funds are disbursed.
Principles and Backers
Although it just came out of stealth, the Open Source Endowment was founded in February, 2025 by Konstantin Vinogradov, a VC investor specializing in open source, AI, and infrastructure software, who spent more than 13 years at Runa Capital, leaving as a general partner in December, although he remains connected as an advisor. Backers include Thomas Dohmke, a former GitHub CEO who recently raised $60 million for his startup Entire; Mitchell Hashimoto, the founder of HashiCorp, which IBM purchased for $6.4 billion last year; Paul Copplestone, founder and CEO of Supabase; and others. In total, the project so far has over 50 donors.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment