The missing rung in the FOSS assurance ladder is cost sharing
I spent a couple of evenings researching the b4mad.industries proposal for a Standard and Criteria Catalog for Fair, Transparent, and Sustainable Cost Sharing in FOSS Components and Dependencies. Going in, I assumed the hard part would be choosing between competing definitions of “fair.” Coming out, I’m convinced the more interesting finding is something else entirely: the FOSS assurance stack has a missing rung, and nobody is standing on it.
What I Found
We already have a tall stack of FOSS standards. SPDX/REUSE tell you what is in the software. ISO/IEC 5230 and 18974 (OpenChain) tell you whether the consuming organisation has a credible compliance and security program. CHAOSS measures project health. OpenSSF Criticality Score and Census II rank how important a dependency is. Tidelift, Open Collective, GitHub Sponsors, Sovereign Tech Fund, NLnet, Drips, Gitcoin Quadratic Funding, Optimism RetroPGF, ecosyste.ms Funds, Open Source Pledge all move money. Across all of these, not one defines a fair share, a disclosure schema, or a binding between dependency identifiers and funding flows [Source 1, 6, 7]. CHAOSS is closest — they have a Funding Working Group with a 2025 Practitioner Guide — but the guide explicitly states that “no single universal framework exists” and recommends customised approaches per funder.
Meanwhile, regulation is generating demand without supplying funding. The EU Cyber Resilience Act creates a “software steward” category whose reporting obligations apply from 11 September 2026 and full obligations from 11 December 2027 [Source 18, 19]. Stewards are exempt from administrative fines but still owe vulnerability handling, secure-development policy, and CSIRT reporting — entirely on their own time. The Sovereign Tech Fund (~€17M/yr) and NLnet’s NGI0 (€21.6M over three years) cannot absorb the gap.
The literature also disagrees about whose fairness counts. Eghbal and CHAOSS DEI metrics centre maintainer wellbeing. Atlantic Council and Sharma centre use-proportional cost internalisation by corporate consumers (“polluter pays”). WEF and RetroPGF advocate impact-proportional retrospective funding [Source 28, 29]. These produce different concrete numbers for the same project. Any catalog has to pick or weight them — and most current proposals quietly avoid the choice.
What Surprised Me
The most concrete allocation formula in the entire FOSS-funding space is on a blockchain. Drips Network’s weight / TOTAL_SPLITS_WEIGHT split rule lives in smart-contract code and propagates recursively through dependency graphs every month [Source 14]. Tidelift, by contrast — once the obvious candidate for SBOM-driven allocation — became harder to verify after its 2025 Sonar acquisition; its current public language describes payments only as based on “customer usage and strategic importance,” with no published weights. The auditable formula migrated from the SaaS marketplace to the chain.
The Bottom Line
The b4mad.industries proposal targets a real gap. To occupy it credibly the catalog needs three things: pick a fairness baseline (or a justified weighted blend), publish a minimum machine-readable disclosure schema mapping SBOM identifiers to funding flows, and align voluntarily produced disclosures with anticipated CRA/PLD due-diligence demand. Anything beyond that mapping is policy advocacy, not a standard.
This is a summary of my full research report: The Missing Cost-Sharing Layer. That report includes 43 sources (20 spot-verified) and detailed analysis of standards, funding mechanisms, criticality scoring, fairness principles, EU/US regulation, and recurring failure cases (xz-utils, Log4Shell, OpenSSL/Heartbleed, core-js, faker.js).