Henry Zhu makes software that's crucial to websites you use every day, even if you’ve never heard of him or his software.
Earlier this year, Zhu quit his job at Adobe to work on Babel full-time. That was risky, because Babel is open source—meaning it is freely available online, and users don’t have to pay for it. That means Zhu has to come up with creative ways to earn money from Babel.
It's a familiar situation for open source developers, especially those working on unsexy, "under the hood" projects that don't get much attention—including many that are more obscure than Babel. Some developers are paid to work on open source as part of their day jobs. But all too often, these projects need more work than an employee juggling other tasks can manage. That can cause big problems as programmers increasingly rely on open source “libraries” of code, which may in turn rely on other libraries.
A startup called Tidelift hopes to help these unsung programmers get paid with a business model the company compares to Netflix. The idea is that a company pays a subscription fee to Tidelift, which takes a cut and then distributes the remainder to open source projects that the subscriber uses, such as Babel. In exchange, the subscriber gets assurance that the software is properly maintained.
Why would a company shell out cash to Tidelift for software they've been using for free? Primarily for support, and also to ensure that the software stays up to date, and works well with other programs.
It’s not a new idea. Red Hat generated $2.9 billion in revenue last year while giving away its flagship product, which is based on the Linux kernel and other open source software. Customers pay Red Hat for technical support and the comfort of a business relationship with the developers of software you depend on.
This model doesn’t work as well for smaller open source projects, around which it would be hard to build a company. What's more, customers don't necessarily want to create contracts with dozens, or hundreds, of independent software developers.
Tidelift tries to solve this by gathering those developers under one umbrella. Customers pay Tidelift, and developers can focus on code instead of sales and marketing. "We couldn't understand why something like this didn't exist, so we created it," says Tidelift CEO Donald Fischer, a former executive at Red Hat who founded the company with other open source veterans.
Unlike Red Hat, Tidelift doesn't offer technical support, and doesn't employ the developers who maintain open source projects. Instead, it offers clients certain assurances. When a customer signs up with Tidelift, the company analyzes the customer's code to see what open source software it depends on, and what open source projects those programs depend on. Tidelift then charges a subscription fee based on the number of participating projects a customer relies on. It also analyzes the licenses of the open source software used by the customer, looking for potential issues. And it looks for known security vulnerabilities, while updating customers about security fixes.
To participate in Tidelift, open source developers must ensure that their software doesn't contain known vulnerabilities and commit to maintaining the software. In addition, they pledge to communicate with Tidelift and its subscribers about security issues, feature updates, and other technical matters.
"The things that we do for Tidelift are things we should be doing anyway," Zhu says.
Tidelift doesn't promise to find or fix previously undiscovered security issues. Instead, it aims to help customers avoid something like what happened to Equifax.1 Last year, the credit-reporting company revealed that hackers had gained access to millions of consumer files through a vulnerability in the open source Apache Struts web application software. The flaw had been fixed by the Struts team, but Equifax wasn’t running an up-to-date version of the software.
Ideally, Tidelift could help with another big security problem as well. Volunteer-run open source projects lack the resources to conduct extensive security audits, which has led to gaping security holes. In 2014, for example, security researchers revealed critical vulnerabilities in OpenSSL, which is used by nearly every site that processes credit card transactions, and Bash, which is included in huge number of operating systems.
Fischer hopes that by providing more funding to lower-profile open source projects, developers can find and fix these sorts of issues before they become crises, like the OpenSSL and Bash vulnerabilities, known respectively as "Heartbleed" and "Shellshock."
For the time being, Tidelift isn't providing developers much funding. The company won’t disclose how many customers it has, or any names. Zhu says Tidelift isn't yet paying him anywhere near enough to make a living.
Tidelift, which has raised $15 million in venture capital, announced last week that it has $1 million earmarked for new developers who join its program. Developers will be paid at least $10,000 over a two-year period.
That's not enough to pay even a single full-time developer. But it does inch developers like Zhu, who also makes money by allowing companies like Facebook and Airbnb to pay for sponsorships on Babel’s website, closer to making a living. The more developers sign up, the more value Tidelift can potentially offer its customers.
1 CORRECTION, Sept. 24, 8:30PM ET: Credit-reporting company Equifax was hacked after not fixing a vulnerability in an open source program. An earlier version of this article incorrectly said Experian was hacked.