Henry Zhu makes software that’s crucial to websites you use every day, even if you’ve never heard of him or his software.
Earlier this year, Zhu quit his job at Adobe to work on Babel full-time. That was risky, because Babel is open source, meaning it is freely available online, and users don’t have to pay for it. That means Zhu has to come up with other ways to earn money from Babel.
It’s a familiar situation for open source developers, especially those working on unsexy, “under the hood” projects that don’t get much attention—including many that are more obscure than Babel. Some developers are paid to work on open source as part of their day jobs. But all too often, these projects need more work than an employee juggling other tasks can manage. And that can cause big problems as programmers increasingly rely on open source “libraries” of code that may in turn rely on other libraries.
A startup called Tidelift hopes to help these unsung programmers make money with a business model the company compares to Netflix. The idea is that a company pays a subscription fee to Tidelift, which takes a cut and then distributes the remainder to open source projects that the subscriber uses, such as Babel. In exchange, the subscriber gets assurance that the software is properly maintained.
Why would a company shell out money to Tidelift for software they’ve been using for free? Primarily for support, and to ensure that the software stays up to date, and works well with other programs.
It’s not a new idea. Red Hat generated $2.9 billion in revenue last year while giving away its flagship product, which is based on the Linux kernel and other open source software. Customers pay Red Hat for technical support and the comfort of a business relationship with the developers of software you depend on.
That doesn’t work as well for smaller open source projects that it would be hard to build a company around. And customers don’t necessarily want to create contracts with dozens, or hundreds, of independent software developers.
Tidelift tries to solve this by gathering those developers under one umbrella. Customers pay Tidelift, and developers can focus on code instead of sales and marketing. “We couldn’t understand why something like this didn’t exist, so we created it,” says Tidelift CEO Donald Fischer, a former executive at Red Hat who founded the company with other open source veterans.
Unlike Red Hat, Tidelift doesn’t offer technical support, and it doesn’t employ the developers who maintain open source projects. Instead, it offers customers certain assurances. When a customer signs up with Tidelift, the company analyzes the customer’s code to see what open source software it depends on, and what open source projects those programs depend on. Tidelift charges a subscription fee based on the number of participating projects a customer relies on. It also analyzes the licenses of the open source software used by the customer, looking for licensing issues. And it looks for known security vulnerabilities, while updating customers about security fixes.
To participate in Tidelift, open source developers must ensure that their software doesn’t contain known vulnerabilities, and commit to maintaining the software. They also pledge to communicate with Tidelift and its subscribers about security issues, feature updates, and other technical issues.
“The things that we do for Tidelift are things we should be doing anyway,” Zhu says.
Tidelift doesn’t promise to find or fix previously undiscovered security issues. Instead, it aims to help customers avoid something like what happened to Experian. Last year the credit-reporting company revealed that hackers had gained access to millions of consumer files through a vulnerability in the open source Apache Struts web-application software. The flaw had been fixed by the Struts team, but Experian wasn’t running an up-to-date version of the software.
Ideally, Tidelift could help with another big security issue as well. Volunteer-run open source projects lack the resources to conduct extensive security audits, which has led to gaping security holes. In 2014, for example, security researchers revealed critical vulnerabilities in OpenSSL, which is used by nearly every site that processes credit card transactions, and Bash, which is included in huge number of operating systems.
Fischer hopes that by providing more funding to less visible open source projects, developers can find and fix these sorts of issues before they become crises, like the OpenSSL and Bash vulnerabilities, known as “Heartbleed” and “Shellshock” respectively.
Tidelift isn’t providing developers much funding yet. The company won’t disclose how many customers it has, or any names. Zhu says Tidelift isn’t yet paying him anywhere near enough to make a living.
Tidelift, which has raised $15 million in venture capital, announced last week that it has $1 million earmarked for new developers who join its program. Developers will be paid at least $10,000 over a two year period.
That’s not enough to pay even a single full-time developer. But it does inch developers like Zhu, who also makes money by allowing companies like Facebook and Airbnb to pay for sponsorships on Babel’s website, closer to making a living. And the more developers sign up, the more value Tidelift can potentially offer its customers.
More Great WIRED Stories