Hero Image

Executive Summary

Jan. 4, 2022
Simply Secure
Mehan Jayasuriya
Jessica Gonzalez

Written by Simply Secure, Mehan Jayasuriya and Jessica Gonzalez

The Mozilla Open Source Support (MOSS) program was launched in 2015 to fund open source and free software. Since its inception, MOSS has invested more than $7.8 million in the open source ecosystem, supporting over 140 projects with more than 35,000 total contributors. With an annual budget of roughly $2M, it operates via three separate tracks that each have different funding criteria and distinct decision-making committees:

Track 1: Foundational Technology

Supports open source projects that Mozilla relies on, either as an embedded part of our products or as part of our everyday work. Projects must be endorsed by a Mozilla staff member in order to apply.

Track 2: Mission Partners

Supports open source projects that significantly advance Mozilla’s mission. Any mission-aligned open source technology may apply.

Track 3: Secure Open Source (SOS)

Supports security audits for widely used open source software projects and remedial work needed to rectify the problems found.

At the end of 2020, Mozilla launched an evaluation process to assess (1) what impact this funding initiative has had on the open source ecosystem and (2) how the program has advanced Mozilla’s mission and goals.

This in-depth evaluation of the program affirms that MOSS continues to play an important role in the ecosystem, providing projects with funding to pay down technical debt, open new pathways to contributors and build infrastructure for long-term growth—work that other funders often cannot or will not support. By supporting this unglamorous but essential work, MOSS has filled a gap in the ecosystem and helped to make open source technologies more sustainable.

MOSS has also provided clear benefits to Mozilla. The program demonstrates Mozilla’s commitment to the open source community beyond its stewardship of Firefox and connects the organization to new technical audiences it might not otherwise reach: 82% of MOSS awardees have no other known touchpoint to Mozilla programs. To date, MOSS has supported Mozilla’s goal to fund new innovation and reach technical audiences by:

  • Connecting Mozilla to new technical audiences working in fields like networking, hardware and security
  • Creating pathways for technical people to participate in community events like MozFest
  • Establishing Mozilla’s reputation in the open-source funding community as a “gap filler” and one of few funders willing to fund maintenance and sustainability
  • Furthering Mozilla’s reputation as one of the only funders with real technical knowledge and credibility

There is great potential for MOSS to contribute more directly to Mozilla’s strategic goals but realizing this potential will require addressing some of the program’s shortcomings and structural challenges. MOSS awardees do not feel that they are part of an awardee community and do not have a sense of what other projects MOSS funds. Cultivating a MOSS community is one of the program’s largest areas of untapped potential; by leveraging the expertise of awardees, we could strengthen and grow MOSS and better realize our initial vision for a program that evolves with direct input from the open source community.

With regard to supporting mission-aligned technologies, we've made great strides toward broadening our focus beyond just utilities for web developers and now support a wide variety of projects through our mission-focused track (Track 2: Mission Partners). Mission Partners has helped mission-aligned technologies become more sustainable, by allowing them to pay down technical debt, open up pathways to new contributors and build the infrastructure to support long-term growth. It has also resulted in a variety of other impacts, including improving security, making open source tools easier to use and helping non-technical people contribute to open source projects. Mission Partners is an example of a pan-Mozilla program that has significantly advanced shared goals; by leveraging the Foundation’s grantmaking expertise and the Corporation’s technical credibility, we’ve helped to support the advancement of mission-aligned tools, while building Mozilla’s profile as a leader in the open source community. Some examples of mission-aligned technologies we’ve supported include:

Tails

A secure operating system used by journalists, activists and survivors of domestic abuse. The team used their MOSS funding to make Tails easier to use for beginners, helping to give less technically-inclined people access to secure communications.

Osmocom

A suite of open source, mobile communications tools. Thanks in part to MOSS funding, Osmocom users can now operate distributed, resilient and decentralized GSM networks, providing an open option where previously there were none.

p5.js

A JavaScript library for creative coding, with a focus on making coding accessible and inclusive for artists, designers, educators and beginners. MOSS support allowed p5 to become “a stable, fully featured, and impeccably documented library” and achieve a v1.0 release.

Over the years, Mission Partners has become a successful grantmaking program, with a steady flow of applications and awards, supported by word-of-mouth publicity. The combination of investment from MoCo and MoFo’s grantmaking infrastructure has provided a healthy model on which Mission Partners can further grow and support Mozilla’s goals in the years to come. That said, we also see opportunities to improve the program, should it continue. The most pressing area to address is Mission Partners’ funding focus, which has tended to be largely opportunistic, rather than intentional. Adding more specificity to the program’s funding criteria could allow our mission-focused funding to contribute more directly and specifically to Mozilla’s strategic priorities.

Stakeholders that we interviewed called for Mozilla to “lean in” to MOSS, by articulating a clear, opinionated strategy to guide what it funds. They felt that MOSS should focus on solving “real problems”—in the sense of impact on real world issues (COVID, elections) and pressing technical problems (security threats, product area gaps, privacy on the web). The success of the COVID-19 Solutions Fund provides a model for how MOSS could be more nimble, opinionated and impactful, by focusing on solving specific problems through open source technology. Through the COVID fund, we’ve also learned that MOSS can reach and have an immediate impact in new communities where there is an appetite for our involvement and funding. This observation guides many of the recommendations we make for the future of the Mission Partners program.

With regard to our support of Mozilla dependencies, we’ve learned that the community wants us to continue this work and we know that this is an area where we can do better.

At its best, our current model for supporting dependencies (Track 1: Foundational Technologies) has helped Mozilla dependencies become more sustainable, including foundational technologies with millions of other downstream dependencies. But overall, this program is struggling. Track 1 does not receive enough applications, cannot spend down its budget and funds only the technologies that approach us for support, as opposed to our most important dependencies. There has also been friction between the program and MoCo engineering when MOSS has attempted to support dependencies for products like Firefox—despite good intentions, MOSS has historically been too disconnected from Mozilla engineering for this kind of collaboration to work well.

Finally, with regard to our funding of security audits, more time, structure and resources will need to be invested in this area if we want to see impact. While our security audit program (Track 3: Secure Open Source) pioneered a model that has been successfully used by other funders and provided a real reputational benefit to Mozilla, it has never been given the staffing, structure or resourcing to become a professionalized program. If Mozilla wishes to continue investing in the security of the open source ecosystem as a whole, it will need to invest in creating a long-term model for providing this support. This should be done in consultation with Mozilla’s in-house security experts.

Through this evaluation, we have observed the clear impacts that MOSS has had in the open source ecosystem and on Mozilla, as well as the ways in which the program’s current structure restricts its potential. MOSS has become too complex both in its structure and operations and is now essentially an umbrella for three different programs with different (but overlapping) aims. We believe that a less-complex, more nimble and more specific version of MOSS could better support sustainability in the open source ecosystem as well as other Mozilla strategic goals in the years ahead.

Keep Scrolling For
Summary of Evaluation Findings