An Overview of Cyber Security Funding for Open Source Software

Adam Alami; Gaurav Choudhary; Jukka Ruohonen

arxiv: 2412.05887 · v3 · pith:IJL53M7Fnew · submitted 2024-12-08 · 💻 cs.CR · cs.CY· cs.SE

An Overview of Cyber Security Funding for Open Source Software

Jukka Ruohonen , Gaurav Choudhary , Adam Alami This is my paper

Pith reviewed 2026-05-23 07:46 UTC · model grok-4.3

classification 💻 cs.CR cs.CYcs.SE

keywords open source softwarecyber security fundingcritical infrastructureproject sustainabilitythematic analysissupply chain securitycryptography libraries

0 comments

The pith

Neither cyber security needs nor project sustainability fully explain the rationales behind funding decisions for open source software projects.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper reviews projects funded by two bodies dedicated to open source software security. Thematic analysis shows support concentrated on supply chains, network and cryptography libraries, programming languages, and operating systems with low-level components. These choices are tied to critical infrastructure protection and emerging regulations. The central claim is that security concerns and sustainability needs together still fall short of accounting for the specific selections observed. Readers would care because many essential systems depend on these open source elements, so the logic of their funding affects real-world security.

Core claim

Qualitative thematic analysis of the projects funded by two cyber security focused OSS funding bodies reveals that supply chains, network and cryptography libraries, programming languages, and operating systems along with their low-level components have been funded and viewed as critical. The work links the research areas of critical infrastructure and OSS project sustainability while relating the examined topic to recent cyber security regulations. Its key argument is that neither cyber security nor project sustainability alone can entirely explain the rationales behind the funding decisions made by the two funding bodies.

What carries the argument

Qualitative thematic analysis applied to the projects and rationales of two specific OSS cyber security funding bodies.

If this is right

OSS supply chains and cryptography libraries receive priority as critical cyber security components.
Funding choices reflect efforts to protect critical infrastructure through open source maintenance.
Recent cyber security regulations shape which OSS projects are selected for support.
Project sustainability considerations influence but do not determine funding allocations.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Funding bodies in other domains may apply similarly mixed criteria when selecting open source projects.
Increased public disclosure of funding rationales could allow better alignment with community-identified needs.
The approach might extend to non-security OSS funding to identify overlooked sustainability factors.

Load-bearing premise

The qualitative thematic analysis of the two selected funding bodies produces an unbiased and representative picture of broader OSS cyber security funding priorities and rationales.

What would settle it

A study of additional funding bodies or quantitative metrics on funded projects that shows decisions align exclusively with measurable security risk levels or documented sustainability shortfalls would falsify the central claim.

Figures

Figures reproduced from arXiv: 2412.05887 by Adam Alami, Gaurav Choudhary, Jukka Ruohonen.

**Figure 1.** Figure 1: An Example of a Funding Decision (STA, 2024d) Thus, to further elaborate the collaborative side of the thematic analysis, the initial analysis was carried out by the paper’s first author. Then, the paper’s other collaborating authors independently reviewed, case by case, the results from the initial analysis. They were given a chance to disagree and propose corrections, including the introduction of new t… view at source ↗

**Figure 2.** Figure 2: Funding Amounts The types of cyber security funded (RQ.4) summarized in [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗

read the original abstract

Many open source software (OSS) projects need more human resources for maintenance, improvements, and sometimes even their survival. These needs allegedly apply even to vital OSS projects that can be seen as being a part of the world's critical infrastructures. To address this resourcing problem, new funding instruments for OSS projects have been established in recent years. The paper examines two such funding bodies for OSS and the projects they have funded. The focus of both funding bodies is on software security and cyber security in general. Based on qualitative thematic analysis, the results indicate that particularly OSS supply chains, network and cryptography libraries, programming languages, and operating systems and their low-level components have been funded and thus seen as critical in terms of cyber security. In addition to the qualitative results presented, the paper makes a contribution by connecting the research branches of critical infrastructure and sustainability of OSS projects. A further contribution is made by connecting the topic examined to recent cyber security regulations. Finally, an important argument is raised that neither cyber security nor project sustainability alone can entirely explain the rationales behind the funding decisions made by the two funding bodies.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Overview paper links OSS cyber funding to critical infrastructure and regs but its key claim rests on undescribed thematic analysis of just two bodies.

read the letter

The main thing to know is that this paper reviews funding from two cyber security-focused bodies for OSS projects, pulls out themes like supply chains, crypto libraries, and low-level components, and ties the whole thing to critical infrastructure research plus recent regulations. It also argues that neither pure security needs nor project sustainability fully accounts for the choices made. That connection between fields is the clearest addition here, and it lands at a useful time given the policy angle. The synthesis itself is straightforward and stays descriptive without overclaiming new theory or data. The soft spot is the methods. The abstract gives no details on how the two bodies were picked, what the project sampling looked like, how themes were coded, or any check on reliability, so the step from the funding records to the 'neither alone' conclusion is hard to evaluate. Limiting the work to two bodies also keeps the picture narrow. This is the kind of paper that could help readers working on OSS sustainability or cyber policy who need a quick map of existing funding patterns rather than a new model or large dataset. It is coherent enough on its own terms to go to a serious referee, mainly so the analysis steps can be spelled out and the scope clarified.

Referee Report

2 major / 2 minor

Summary. The paper examines two funding bodies focused on OSS cyber security, applies qualitative thematic analysis to identify funded project areas (supply chains, crypto libraries, languages, OS components), connects the work to critical infrastructure research and OSS sustainability, links it to recent regulations, and concludes that neither cyber security nor sustainability alone fully explains the observed funding rationales.

Significance. If the thematic analysis is shown to be systematic and representative, the manuscript would usefully bridge critical-infrastructure and OSS-sustainability literatures and relate funding patterns to emerging regulation. The central interpretive claim is plausible on its face but currently rests on an opaque qualitative process whose internal consistency cannot be assessed.

major comments (2)

[Methodology] The description of the qualitative thematic analysis supplies no information on selection criteria for the two funding bodies, the project sampling frame, the coding scheme, or inter-rater reliability. Because the claim that 'neither cyber security nor project sustainability alone can entirely explain the rationales' is derived directly from the themes produced by this analysis, the absence of these details renders the central argument unverifiable.
[Results] The results section presents high-level themes (supply chains, cryptography libraries, etc.) but does not include concrete examples, decision excerpts, or explicit mapping showing how any funded project falls outside both pure security and pure sustainability rationales. Without such evidence the 'neither alone' conclusion lacks demonstrable support.

minor comments (2)

[Abstract] The abstract states that the analysis 'indicates' certain areas have been funded but does not preview the methodological limitations that affect the strength of that indication.
[Discussion] Citations to specific recent regulations (e.g., section or article numbers) would make the claimed connection to regulatory developments more precise and checkable.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We will revise the manuscript to enhance methodological transparency and to supply concrete evidentiary support for the interpretive claims.

read point-by-point responses

Referee: [Methodology] The description of the qualitative thematic analysis supplies no information on selection criteria for the two funding bodies, the project sampling frame, the coding scheme, or inter-rater reliability. Because the claim that 'neither cyber security nor project sustainability alone can entirely explain the rationales' is derived directly from the themes produced by this analysis, the absence of these details renders the central argument unverifiable.

Authors: We agree that the current description is insufficient for verifiability. In the revised manuscript we will add a dedicated Methodology section specifying: selection criteria for the two bodies (the primary publicly funded programs with an explicit OSS cybersecurity mandate); the sampling frame (all projects funded by these bodies within the study period); the coding process (inductive thematic analysis following established qualitative guidelines); and reliability steps (iterative coding with author consensus discussions). This will directly address the concern that the central claim cannot be assessed. revision: yes
Referee: [Results] The results section presents high-level themes (supply chains, cryptography libraries, etc.) but does not include concrete examples, decision excerpts, or explicit mapping showing how any funded project falls outside both pure security and pure sustainability rationales. Without such evidence the 'neither alone' conclusion lacks demonstrable support.

Authors: We accept the point that high-level themes alone do not sufficiently demonstrate the claim. The revised results section will include specific funded-project examples, publicly available excerpts from funding announcements or project rationales, and explicit mappings that illustrate motivations extending beyond pure cybersecurity (e.g., regulatory compliance or critical-infrastructure resilience) or sustainability alone. These additions will provide the required demonstrable support. revision: yes

Circularity Check

0 steps flagged

No circularity detected in descriptive qualitative paper

full rationale

The paper performs a qualitative thematic analysis of OSS funding decisions by two bodies and offers an interpretive argument that neither cyber security nor sustainability alone explains the rationales. There are no equations, fitted parameters, derivations, predictions, or uniqueness theorems. No self-citations are invoked as load-bearing premises, and no steps reduce by construction to inputs. The work is self-contained as an overview and connection of research branches without circular reduction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

No mathematical models, free parameters, or invented entities are present; the analysis rests on the domain assumption that thematic coding of funding decisions can reveal underlying rationales.

axioms (1)

domain assumption Thematic analysis of project descriptions and funding decisions can reliably surface non-obvious rationales beyond stated security and sustainability goals.
Invoked implicitly when the paper concludes that neither cyber security nor sustainability alone explains the decisions.

pith-pipeline@v0.9.0 · 5726 in / 1162 out tokens · 34271 ms · 2026-05-23T07:46:49.894717+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

12 extracted references · 12 canonical work pages

[1]

Alami, A., Pardo, R., and Lin˚ aker, J. (2024). Free Open Source Communities Sustainability: Does It Make a Difference in Soft- ware Quality? Empirical Software Engineering, 29:1–40. Alanazi, M., Mahmood, A., and Chowdhury, M. J. M. (2023). SCADA Vulnerabilities and Attacks: A Review of the State-of- the-Art. Computers & Security , 125:103028. Anderson, R...

work page 2024
[2]

, pages 1–12, Porto de Galinhas. IEEE. Besiekierska, A. (2023). Legal Assessment of the National Cybersecu- rity System in Poland in the Light of the New Developments in the NIS2 Directive. In Proceedings of the 46th MIPRO ICT and Elec- tronics Convention (MIPRO

work page 2023
[3]

, pages 1474–1477, Opatija. IEEE. Bi, T., Xia, B., Xing, Z., Lu, Q., and Zhu, L. (2024). On the Way to SBOMs: Investigating Design Issues and Solutions in Prac- tice. ACM Transactions on Software Engineering and Methodol- ogy, 33(6):1–25. Bol, T., de Vaanc, M., and van de Rijt, A. (2018). The Matthew Effect in Science Funding. PNAS, 115(19):4887–4890. Bra...

work page 2024
[4]

Springer

, pages 146–160, Es- sen. Springer. Eckhardt, P. and Kotovskaia, A. (2023). The EUs Cybersecurity Framework: The Interplay Between the Cyber Resilience Act and the NIS 2 Directive. International Cybersecurity Law Review , 4:147–164. Farquhar, J., Michels, N., and Robson, J. (2020). Triangulation in Industrial Qualitative Case Study Research: Widening the ...

work page arXiv 2023
[5]

, pages 1–12, Rome. CEUR-WS. NLnet Foundation (2025). Welcome to NLnet Foundation. Available online in April 2025: https://nlnet.nl/. Ohm, M., Plate, H., Sykosch, A., and Meier, M. (2020). Backstab- ber’s Knife Collection: A Review of Open Source Software Sup- ply Chain Attacks. In Maurice, C., Bilge, L., Stringhini, G., and Neves, N., editors, Proceeding...

work page arXiv 2025
[6]

, pages 1513– 1531, Virtual Event. ACM. Ramaj, X., S´ anchez-Gord´ on, M., Gkioulos, V., and Colomo-Palacios, R. (2024). On DevSecOps and Risk Management in Critical In- frastructures: Practitioners’ Insights on Needs and Goals. In Proceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems and 2024 IEE...

work page 2024
[7]

, pages 45–52, Lisbon. ACM. Rinaldi, S. M., Peerenboom, J. P., and Kelly, T. K. (2001). Identify- ing, Understanding, and Analyzing Critical Infrastructure Inter- dependencies. IEEE Control Systems Magazine , 21(6):11–25. Ruohonen, J. (2020). An Acid Test for Europeanization: Public Cyber Security Procurement in the European Union. European Journal for Se...

work page arXiv 2001
[8]

, pages 120–131, Austin. Texas. Strasser, C., Hertweck, K., Greenberg, J., Taraborelli, D., and Vu, E. (2022). Ten Simple Rules for Funding Scientific Open Source Software. PLoS Computational Biology, 18(11):e1010627. Terry, G., Hayfield, N., Clarke, V., and Braun, V. (2017). Thematic Analysis. In Willing, C. and Stainton-Rogers, W., editors, The SAGE Han...

work page arXiv 2022
[9]

, pages 1–10, Is- tanbul. ACM. Vaismoradi, M., Turunen, H., and Bondas, T. (2013). Content Anal- ysis and Thematic Analysis: Implications for Conducting a Qual- itative Descriptive Study. Nursing and Health Sciences , 15:398–

work page 2013
[10]

Vandezande, N. (2024). Cybersecurity in the EU: How the NIS2- Directive Stacks Up Against Its Predecessor. Computer Law & Security Review, 52:105890. Veigurs, M., Lasmanis, T., and Romanovs, A. (2024). IT Governance in Critical Sectors: Towards the NIS2 Implementation. In Pro- ceedings of the IEEE 65th International Scientific Conference on Information Te...

work page 2024
[11]

, pages 1–7, Riga. IEEE. Verdecchia, R., Kruchten, P., Lago, P., and Malavolta, I. (2021). Building and Evaluating a Theory of Architectural Technical Debt in Software-Intensive Systems. Journal of Systems and Software , 176:110925. von Solms, R. and van Niekerk, J. (2013). From Information Security to Cyber Security. Computers & Security , 38:97–102. Wei...

work page 2021
[12]

, pages 2630– 2642, Melbourne. IEEE. Zebrowski, C. and Sage, D. (2017). Resilience and Critical Infras- tructure: Origins, Theories, and Critiques. In Dover, R., Dylan, H., and Goodman, M. S., editors, The Palgrave Handbook of Se- curity, Risk and Intelligence , pages 117–135. Palgrave Macmillan, London. Zimmermann, M., Staicu, C.-A., Tenny, C., and Prade...

work page 2017

[1] [1]

Alami, A., Pardo, R., and Lin˚ aker, J. (2024). Free Open Source Communities Sustainability: Does It Make a Difference in Soft- ware Quality? Empirical Software Engineering, 29:1–40. Alanazi, M., Mahmood, A., and Chowdhury, M. J. M. (2023). SCADA Vulnerabilities and Attacks: A Review of the State-of- the-Art. Computers & Security , 125:103028. Anderson, R...

work page 2024

[2] [2]

, pages 1–12, Porto de Galinhas. IEEE. Besiekierska, A. (2023). Legal Assessment of the National Cybersecu- rity System in Poland in the Light of the New Developments in the NIS2 Directive. In Proceedings of the 46th MIPRO ICT and Elec- tronics Convention (MIPRO

work page 2023

[3] [3]

, pages 1474–1477, Opatija. IEEE. Bi, T., Xia, B., Xing, Z., Lu, Q., and Zhu, L. (2024). On the Way to SBOMs: Investigating Design Issues and Solutions in Prac- tice. ACM Transactions on Software Engineering and Methodol- ogy, 33(6):1–25. Bol, T., de Vaanc, M., and van de Rijt, A. (2018). The Matthew Effect in Science Funding. PNAS, 115(19):4887–4890. Bra...

work page 2024

[4] [4]

Springer

, pages 146–160, Es- sen. Springer. Eckhardt, P. and Kotovskaia, A. (2023). The EUs Cybersecurity Framework: The Interplay Between the Cyber Resilience Act and the NIS 2 Directive. International Cybersecurity Law Review , 4:147–164. Farquhar, J., Michels, N., and Robson, J. (2020). Triangulation in Industrial Qualitative Case Study Research: Widening the ...

work page arXiv 2023

[5] [5]

, pages 1–12, Rome. CEUR-WS. NLnet Foundation (2025). Welcome to NLnet Foundation. Available online in April 2025: https://nlnet.nl/. Ohm, M., Plate, H., Sykosch, A., and Meier, M. (2020). Backstab- ber’s Knife Collection: A Review of Open Source Software Sup- ply Chain Attacks. In Maurice, C., Bilge, L., Stringhini, G., and Neves, N., editors, Proceeding...

work page arXiv 2025

[6] [6]

, pages 1513– 1531, Virtual Event. ACM. Ramaj, X., S´ anchez-Gord´ on, M., Gkioulos, V., and Colomo-Palacios, R. (2024). On DevSecOps and Risk Management in Critical In- frastructures: Practitioners’ Insights on Needs and Goals. In Proceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems and 2024 IEE...

work page 2024

[7] [7]

, pages 45–52, Lisbon. ACM. Rinaldi, S. M., Peerenboom, J. P., and Kelly, T. K. (2001). Identify- ing, Understanding, and Analyzing Critical Infrastructure Inter- dependencies. IEEE Control Systems Magazine , 21(6):11–25. Ruohonen, J. (2020). An Acid Test for Europeanization: Public Cyber Security Procurement in the European Union. European Journal for Se...

work page arXiv 2001

[8] [8]

, pages 120–131, Austin. Texas. Strasser, C., Hertweck, K., Greenberg, J., Taraborelli, D., and Vu, E. (2022). Ten Simple Rules for Funding Scientific Open Source Software. PLoS Computational Biology, 18(11):e1010627. Terry, G., Hayfield, N., Clarke, V., and Braun, V. (2017). Thematic Analysis. In Willing, C. and Stainton-Rogers, W., editors, The SAGE Han...

work page arXiv 2022

[9] [9]

, pages 1–10, Is- tanbul. ACM. Vaismoradi, M., Turunen, H., and Bondas, T. (2013). Content Anal- ysis and Thematic Analysis: Implications for Conducting a Qual- itative Descriptive Study. Nursing and Health Sciences , 15:398–

work page 2013

[10] [10]

Vandezande, N. (2024). Cybersecurity in the EU: How the NIS2- Directive Stacks Up Against Its Predecessor. Computer Law & Security Review, 52:105890. Veigurs, M., Lasmanis, T., and Romanovs, A. (2024). IT Governance in Critical Sectors: Towards the NIS2 Implementation. In Pro- ceedings of the IEEE 65th International Scientific Conference on Information Te...

work page 2024

[11] [11]

, pages 1–7, Riga. IEEE. Verdecchia, R., Kruchten, P., Lago, P., and Malavolta, I. (2021). Building and Evaluating a Theory of Architectural Technical Debt in Software-Intensive Systems. Journal of Systems and Software , 176:110925. von Solms, R. and van Niekerk, J. (2013). From Information Security to Cyber Security. Computers & Security , 38:97–102. Wei...

work page 2021

[12] [12]

, pages 2630– 2642, Melbourne. IEEE. Zebrowski, C. and Sage, D. (2017). Resilience and Critical Infras- tructure: Origins, Theories, and Critiques. In Dover, R., Dylan, H., and Goodman, M. S., editors, The Palgrave Handbook of Se- curity, Risk and Intelligence , pages 117–135. Palgrave Macmillan, London. Zimmermann, M., Staicu, C.-A., Tenny, C., and Prade...

work page 2017