From 74c9a2ec8200cecacfb750ea0740701e90ec29e0 Mon Sep 17 00:00:00 2001 From: Ana Jimenez Santamaria <43671777+anajsana@users.noreply.github.com> Date: Mon, 17 Jan 2022 15:25:33 +0100 Subject: [PATCH 1/5] [DO NOT MERGE] Create questions.md for review **Please do not merge until 2022-02-28** This commit adds `question.md` file so the community can provide feedback and add comments to the OSPO Survey 2022 questions --- 2022/questions.md | 531 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 531 insertions(+) create mode 100644 2022/questions.md diff --git a/2022/questions.md b/2022/questions.md new file mode 100644 index 0000000..635a56f --- /dev/null +++ b/2022/questions.md @@ -0,0 +1,531 @@ +## Open Source Program Office (OSPO) 2022 Survey +The TODO Group, together with Linux Foundation Research and The New Stack, is conducting a survey as part of a research project on the prevalence and outcomes of open source programs among enterprises across the globe. + +Personally identifiable information will not be used without your explicit permission. The information collected in this survey will be used as part of a research study. +Only one response per company will be included in the study's results. + +*This survey should take no more than 15 minutes of your time.* + + +PRIVACY + +Your name and company name will not be published. Reviews are attributed to your role, company size, and industry. Responses will be subject to the Linux Foundation's Privacy Policy, available at https://linuxfoundation.org/privacy. Please note that survey partners who are not Linux Foundation employees will be involved in reviewing the survey results. Although survey partners are not permitted to use your personal data for other purposes, if you would prefer that your name or email address would not be visible in the results that the survey partners review, then please do not include them in your responses. + + +VISIBILITY + +We will summarize the survey data and share the findings during OSPOCon 2022. The summary report will be published on both the TODO Group and Linux Foundation websites. + +QUESTIONS + +If you have questions regarding this survey, please email us at research@linuxfoundation.org. + + +## Part 1 +1. Where is your company or organization on its open source journey? (Check all that apply) +* Consuming open source code in products or services +* Contributing to upstream open source projects +* Influencing open source projects via leadership or maintainer roles +* Initiating or releasing open source projects +* Collaborating with peers across open source projects and/or foundations +* Not involved in open source +* Don’t know + +2. How many people work for your company or organization? +* Self-employed or not working +* 2-50 +* 51-250 +* 251-1,000 +* 1,001-10,000 +* More than 10,000 +* Don't know + +3. How often does your organization do the following activities? +>{Never Rarely Sometimes Frequently Don't know} +* Contribute code upstream +* Use open source code for noncommercial or internal reasons +* Use open source code in commercial products +* Recruit and hire developers to work on open source projects +* Train developers to contribute to open source projects +* Create its own open source projects +* Attend and speak at open source events or conferences +4. What percentage of your products include open source components? +* 1-20% +* 21-40% +* 41-60% +* 61-80% +* 81-100% +* Our products do not have any software components +* Don't know + +5. Does your organization have a formal policy governing use and contribution to open source projects in the following areas? +>{Yes No Don't know} +* Use of open source code in products (dependencies) +* Releasing open source code or projects +* Contributing upstream to open source projects +* Sponsoring open source projects, events or foundations +* Allowing employees to contribute to non-work-related open source projects in their personal time +6. Does your organization have a management initiative or program (either formal or informal) around open source? +* Yes +* No, but planning one +* No +>ROUTING: "Yes" goes to Part 2; "No, but planning one" goes to Part 3; "No" goes to Part 4 + +## Part 2 +### Part 2a: Have Open Source Program + +7. What are the primary responsibilities of the open source program? (Check all that apply) +* Owning and overseeing the execution of open source strategy +* Clearly communicating the open source strategy within and outside the company +* Facilitating the effective use of open source in commercial products and services +* Ensuring high-quality and frequent releases of code to open source communities +* Engaging with developer communities so the company contributes back to other projects effectively +* Fostering an open source culture within an organization +* Maintaining open source license compliance reviews and oversight +* Launching new open source projects +* Selecting and/or setting up infrastructure and tooling for open source use, contribution and creation +* Developing and delivering open source training, resources and documentation +* Other (please explain) + +8. Is the program or initiative formally structured with dedicated person-hours, reporting structure and/or job titles? +* Yes +* No +* Don't know +>ROUTING: "Yes" goes to Part 2b; "No" and "Don't know" go to Part 2c +### Part 2b: Employees in formal programs +9. How many employees are part of your open source program? +* 0 (no dedicated staff yet) +* 1 +* 2-4 +* 5-9 +* 10+ +* Don't know + +### Part 2c +10. Where is the open source program or initiative located within the organization? If the effort is informal, answer based on who the primary organizers report to. +* Legal +* Software engineering and development +* IT +* Office of the CTO +* Developer relations, marketing or communications +* Security, compliance or risk management +* Don't know +* Other (please specify) + + +11. What percentage of your open source program’s time is spent collaborating with the following departments? (Total can equal more than 100%) +>{< 20% 21-40% 41-60% 61-80% > 80% Don't know} +* Engineering +* IT +* Legal +* Security +* Upstream open source projects +* Other (please specify) +12. What is your role in the open source program? +* Executive leadership or oversight (program manager reports to me) +* Program manager +* Legal compliance +* Engineering compliance +* Security +* Developer relations, advocacy and evangelism +* Open source developer or engineer (reporting to the open source office) +* Committee member +* No formal role +* Other (please specify) + +13. In light of recent macroeconomic conditions, what is the likelihood that funding for your company's open source initiatives will increase or decrease in the upcoming fiscal year? +* Very likely to increase +* Somewhat likely to increase +* Neutral +* Somewhat likely to decrease +* Very likely to decrease +* Don't know + +14. How long ago was the program established? +* 0-2 years +* 3-5 years +* 6-10 years +* More than 10 years +* Don't know + +15. What are the areas where your company has most benefited from the open source program? (Check all that apply) +* Increased developer recruitment and retention +* Increased speed and agility in the development cycle +* Better license compliance +* Lower licensing fees +* Lower support costs +* More influence in open source communities +* Increased contributions to in-house open source projects from external or third-party contributors +* More awareness of open source use and commercial dependencies +* Increased market adoption of open source projects +* Increased participation in external open source projects +* Faster time to market with new products +* Increased innovation +* Culture change, with improved interaction among departments +* Better security testing and vulnerability management +* Other (please specify) + +16. What are the ways your open source program quantifies success? (Check all that apply) +* Fewer license violations +* Faster compliance process +* Volume of upstream code contributions +* Number of open source projects initiated +* Number of contributors +* Market adoption or use of projects +* Developer velocity, efficiency, and/or productivity +* Developer hiring and onboarding +* Reach in open source communities +* Frequency of dependency updates +* Mean time to detect vulnerabilities +* Time to market with new products +* Project code quality +* Cost savings +* Other (please specify) + + +17. What are the top three challenges your open source program faces? (Choose three) +* Finding and recruiting open source developers +* Ability to influence open source projects +* Executive awareness and support +* Insufficient budget, program costs +* Internal awareness of the program +* External awareness (marketing and communications) +* License compliance overhead +* Getting teams on board with compliance and security approaches +* Vulnerability monitoring and remediation +* Tracking metrics and performance +* Tool selection and adoption + +18. On a scale of 1-5, how business-critical is your open source program to the success of your engineering or product teams? (1= extremely critical, 5 = not at all critical) +* 1 – Extremely critical +* 2 – Very critical +* 3 – Somewhat critical +* 4 – Not so critical +* 5 – Not at all critical + +19. Does your organization use its open source program office as a way to further its strategic relationships and build partnerships? +* Yes +* No +* Don't know + +20. Has the open source program had a positive impact on your company's software practices? +* Yes +* No +* Don't know + +>ROUTING: "Yes" goes to Part 2d; "No" and "Don't know" go to Part 5 +### Part 2d: Have Program - yes, specific impact +21. If yes, please provide one or two specific examples. +* Example 1 +* Example 2 + +>Routing: go to Part 5a +## Part 3: Planning an Open Source Program +22. When does your company plan to start a program? +* In the next 6 months +* In the next year +* 1-2 years from now +* Over 2 years from now + +23. Will the program or initiative be formally structured with dedicated person-hours, reporting structure and/or job titles? +* Yes +* No +* Don't know + +24. Where will the open source program or initiative be located within the organization? If the effort is informal, answer based on who the primary organizers will report to. +* Legal +* Software engineering and development +* IT +* Office of the CTO +* Developer relations, marketing or communications +* Security, compliance or risk management +* Don't know +* Other (please specify) + + +25. What does your company aim to accomplish by starting an open source program? (Check all that apply) +* Increased developer recruitment and retention +* Increased speed and agility in development cycle +* Better license compliance +* Lower licensing fees +* Lower support costs +* More influence in open source communities +* Increased contributions to in-house open source projects from external or third-party contributors +* More awareness of open source use and commercial dependencies +* Increased market adoption of open source projects +* Increased participation in external open source projects +* Faster time to market with new products +* Increased innovation +* Culture change, improving interaction among departments +* Better security testing and vulnerability management +* Other (please specify) + +26. What have been the top three biggest challenges in establishing an open source program? (Choose three) +* Developing an open source strategy +* Finding an open source program manager +* Finding legal staff with open source expertise +* Setting an open source policy +* Getting executive support and buy-in +* Getting engineering support and buy-in +* Setting a budget and estimating program costs +* Assessing or quantifying existing open source use and contribution +* Resources required to perform license compliance +* Finding commercial dependencies +* Tool selection +* Other (please specify) +>Routing: go to Part 5a +## Part 4 +### Part 4a: Do Not Have an Open Source Program +27. Why doesn’t your company have an open source program? (Check all that apply) +* Used to have one, but it ended +* Have never heard of an open source program +* Haven’t considered it +* Don’t use or participate in open source +* Organization is too small to need one +* Organization’s open source use and participation is too small to need one +* Don’t see the business value +* Don’t want to regulate or standardize open source practices +* Time or resource constraints +* Want one but can’t justify it +* Other (please specify) + +28. Would your company benefit from an open source program? +* Yes +* No +* Unknown + +>Routing: "Yes" goes to Part 4b, "No" goes to Part 4c +## Part 4b: Not Using - Yes, employer would benefit +29. How would you approach creating an open source program within your organization? +* {open ended} + +30. What are the top three ways your company would benefit from an open source program? (Choose three) +* Increased developer recruitment and retention +* Increased speed and agility in development cycle +* Better license compliance +* Lower licensing fees +* Lower support costs +* More influence in open source communities +* Increased contributions to in-house open source projects from external or third-party contributors +* More awareness of open source use and commercial dependencies +* Increased market adoption of open source projects +* Increased participation in external open source projects +* Faster time to market with new products +* Increased innovation +* Culture change, with improved interaction among departments +* Better security testing and vulnerability management +* Other (please specify) +>Routing: go to Part 5a +### Part 4c: Not Using - No, employer would not benefit +31. Why not? +* Used to have one, but it ended +* Have never heard of an open source program +* Haven’t considered it +* Don’t use or participate in open source +* Organization is too small to need one +* Organization's open source use and participation is too small to need one +* Don’t see the business value +* Don’t want to regulate or standardize open source practices +* I don’t know +* Other (please specify) +>Routing: go to Part 5a +## Part 5 +### Part 5a: Value of Companies and Foundations +32. "The following list represents a range of large companies that participate in open source communities. To what degree do you perceive each of them to be “good open source community citizens” in terms of contributions, collaboration and leadership on open source projects and initiatives within the open source ecosystem?" +>{Excellent Above Average Average Below Average Very Poor Don't know} +* AWS +* Comcast +* Facebook +* Google +* IBM +* Microsoft +* Red Hat +* SAP +* Uber +* Verizon +* VMware +33. Excluding the aforementioned companies, please nominate up to three technology or software companies that exemplify good open source community citizenship in terms of contributions, collaboration and leadership on projects and initiatives within the open source ecosystems? +* Nomination 1 +* Nomination 2 +* Nomination 3 + +34. Excluding the aforementioned companies, please nominate up to three non-technology or software companies – so-called end users – that exemplify good open source community citizenship in terms of contributions, collaboration and leadership on projects and initiatives within the open source ecosystems? +* Nomination 1 +* Nomination 2 +* Nomination 3 + +35. To what degree does a company’s participation in, and contributions to, the open source community influence your organization’s buying decisions? +* Extremely influential +* Very influential +* Moderately influential +* Slightly influential +* Not at all influential +* Don't know + +36. In the last five years, has anyone in your organization included participation in open source ecosystems as criteria for the following? +{Yes No Don’t know} +* Review or audit of software and IT vendor contracts +* Decision to select a new vendor, supplier or partner +* Decision to discontinue a relationship with an existing vendor supplier or partner + +37. If your organization has assessed vendor, supplier or partner participation in open source ecosystems, what were the criteria or metrics used to evaluate performance? What would you tell your peers seeking to conduct similar evaluations? +* Open-ended comments + + +### Part 5b: Foundation Value +38. Is your company a member or sponsor of an open source foundation(s)? (e.g., The Linux Foundation, The Apache Foundation, Eclipse Foundation, OpenJS Foundation) +* Yes +* No +* Don't know +>Routing: "Yes" goes Part 5b; "No" and "Don't know" skip to Part 6. +### Part 5c: Foundation Value Follow-up + +39. How valuable is the support and return on your investment you have received from these open source foundations? +* Extremely high value +* High value +* Average value +* Low value +* Extremely low value +* Don't know + +## Part 6: Metrics for Everybody + +40. How many open source projects does your company maintain? +* 0 +* 1-10 +* 11-50 +* 51-100 +* 101-1,000 +* More than 1,000 +* Don't know + +41. How many developers (full time or part time) in your organization contribute to open source projects you depend on? +* 0 +* 1-5 +* 6-10 +* 11-100 +* More than 100 +* Don't know + +42. How often does your average application development team release code into production? +* Hourly +* Daily +* Weekly +* Monthly +* Quarterly +* Annually +* Don’t know + +## Part 7: Licensing, Compliance and Repos +43. Does your company require a Contributor License Agreement (CLA) for external contributions to your open source projects? +* Yes +* No +* Don't know + +44. What is the preferred license for your company's open source projects? +* MIT +* BSD 2-clause +* BSD 3-clause +* Apache 2.0 +* GPLv2 +* GPLv3 +* LGPL +* AGPL +* No preference +* Don't know +* Other (please specify) + +45. Which of the following tools and methodologies does your organization utilize for open source compliance? +* ClearlyDefined +* Debricked +* FOSSA +* FOSSology +* GitHub +* GitLab +* JFrog +* OpenChain +* OSS Review Toolkit +* Revenera +* Snyk +* Sonatype +* SPDX Tools +* Synopsys +* Tern +* Veracode +* WhiteHat Security +* WhiteSource +* We utilize a homegrown tool or methodology for open source compliance +* We do not utilize a tool or methodology for open source compliance +* Other (please specify) + + +46. Does the information security function within your organization access data from software composition analysis tools that are used for automated open source compliance? +* Yes +* No +* Don't know + + +47. What kinds of tools does your company use to manage open source code repositories? (Check all that apply) +* GitHub paid version +* GitLab paid version +* Other vendor’s paid version (e.g., Bitbucket) +* Free version of a vendor solution +* Homegrown solution +* Other (please specify) + +## Part 8: Audience +48. Which technology area does your company focus its open source activities on? (Check all that apply) +* AI, ML, Data & Analytics +* Blockchain +* CI/CD & Site Reliability +* Cloud +* Containers & Virtualization +* DevOps +* IoT & Embedded +* Networking & Edge +* Open Hardware +* Safety-Critical Systems +* Security +* Storage +* System Administration +* Web & Application Development +* Other (please specify) + +49. Which category most closely defines your role? +* Developer or software engineer +* Other IT +* Community manager or developer advocate +* IT management, including CIO, CISO, CTO +* C-level (non-technology) management +* Marketing / PR +* Other + +50. What industry vertical is your company in? +* Defense +* _Education_ +-- University +-- For-profit services +-- Other +* Financial services +* Healthcare +* Insurance +* Manufacturing and raw materials +* _Public Sector_ +-- Local government +-- National government +-- International organization +-- Non-governmental organization +* Retail +* Technology (software or IT) +* Telecom, communications or media +* Transportation and automotive +* Utilities +* Other + +51. What is the name of your organization? (This information will not be published) +* Name of Company / Organization / Institution + +52. If you are interested in participating in an in-depth interview, please provide us with your name, email address, and the name of your organization. +* Name +* Organization +* Email address From 892ce129ce80dd70a0e90bcca13af60e31667049 Mon Sep 17 00:00:00 2001 From: Ana Jimenez Santamaria <43671777+anajsana@users.noreply.github.com> Date: Wed, 19 Jan 2022 19:02:57 +0100 Subject: [PATCH 2/5] improve format for questions.md Co-authored-by: Celeste Horgan --- 2022/questions.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/2022/questions.md b/2022/questions.md index 635a56f..8f9607b 100644 --- a/2022/questions.md +++ b/2022/questions.md @@ -22,14 +22,15 @@ If you have questions regarding this survey, please email us at research@linuxfo ## Part 1 + 1. Where is your company or organization on its open source journey? (Check all that apply) -* Consuming open source code in products or services -* Contributing to upstream open source projects -* Influencing open source projects via leadership or maintainer roles -* Initiating or releasing open source projects -* Collaborating with peers across open source projects and/or foundations -* Not involved in open source -* Don’t know + * Consuming open source code in products or services + * Contributing to upstream open source projects + * Influencing open source projects via leadership or maintainer roles + * Initiating or releasing open source projects + * Collaborating with peers across open source projects and/or foundations + * Not involved in open source + * Don’t know 2. How many people work for your company or organization? * Self-employed or not working From 18633cf91e102e6d017325a7e1d264a635176552 Mon Sep 17 00:00:00 2001 From: Ana Jimenez Santamaria <43671777+anajsana@users.noreply.github.com> Date: Wed, 19 Jan 2022 19:03:35 +0100 Subject: [PATCH 3/5] fix questions.md format Co-authored-by: Celeste Horgan --- 2022/questions.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/2022/questions.md b/2022/questions.md index 8f9607b..b8eb4cd 100644 --- a/2022/questions.md +++ b/2022/questions.md @@ -276,7 +276,9 @@ If you have questions regarding this survey, please email us at research@linuxfo * Other (please specify) >Routing: go to Part 5a ## Part 4 + ### Part 4a: Do Not Have an Open Source Program + 27. Why doesn’t your company have an open source program? (Check all that apply) * Used to have one, but it ended * Have never heard of an open source program From b0c206d635328a1b011375161e5d31e830a3690d Mon Sep 17 00:00:00 2001 From: Ana Jimenez Santamaria <43671777+anajsana@users.noreply.github.com> Date: Wed, 19 Jan 2022 19:03:59 +0100 Subject: [PATCH 4/5] fix questions.md format Co-authored-by: Celeste Horgan --- 2022/questions.md | 1 + 1 file changed, 1 insertion(+) diff --git a/2022/questions.md b/2022/questions.md index b8eb4cd..85e6838 100644 --- a/2022/questions.md +++ b/2022/questions.md @@ -347,6 +347,7 @@ If you have questions regarding this survey, please email us at research@linuxfo * Uber * Verizon * VMware + 33. Excluding the aforementioned companies, please nominate up to three technology or software companies that exemplify good open source community citizenship in terms of contributions, collaboration and leadership on projects and initiatives within the open source ecosystems? * Nomination 1 * Nomination 2 From dccd362e4e7f4affecf1ec353f4e4cf8e84e02af Mon Sep 17 00:00:00 2001 From: Ana Jimenez Santamaria <43671777+anajsana@users.noreply.github.com> Date: Wed, 19 Jan 2022 19:29:11 +0100 Subject: [PATCH 5/5] fix format --- 2022/questions.md | 728 +++++++++++++++++++++++----------------------- 1 file changed, 364 insertions(+), 364 deletions(-) diff --git a/2022/questions.md b/2022/questions.md index 85e6838..8787f33 100644 --- a/2022/questions.md +++ b/2022/questions.md @@ -33,60 +33,60 @@ If you have questions regarding this survey, please email us at research@linuxfo * Don’t know 2. How many people work for your company or organization? -* Self-employed or not working -* 2-50 -* 51-250 -* 251-1,000 -* 1,001-10,000 -* More than 10,000 -* Don't know + * Self-employed or not working + * 2-50 + * 51-250 + * 251-1,000 + * 1,001-10,000 + * More than 10,000 + * Don't know 3. How often does your organization do the following activities? >{Never Rarely Sometimes Frequently Don't know} -* Contribute code upstream -* Use open source code for noncommercial or internal reasons -* Use open source code in commercial products -* Recruit and hire developers to work on open source projects -* Train developers to contribute to open source projects -* Create its own open source projects -* Attend and speak at open source events or conferences + * Contribute code upstream + * Use open source code for noncommercial or internal reasons + * Use open source code in commercial products + * Recruit and hire developers to work on open source projects + * Train developers to contribute to open source projects + * Create its own open source projects + * Attend and speak at open source events or conferences 4. What percentage of your products include open source components? -* 1-20% -* 21-40% -* 41-60% -* 61-80% -* 81-100% -* Our products do not have any software components -* Don't know + * 1-20% + * 21-40% + * 41-60% + * 61-80% + * 81-100% + * Our products do not have any software components + * Don't know 5. Does your organization have a formal policy governing use and contribution to open source projects in the following areas? >{Yes No Don't know} -* Use of open source code in products (dependencies) -* Releasing open source code or projects -* Contributing upstream to open source projects -* Sponsoring open source projects, events or foundations -* Allowing employees to contribute to non-work-related open source projects in their personal time -6. Does your organization have a management initiative or program (either formal or informal) around open source? -* Yes -* No, but planning one -* No + * Use of open source code in products (dependencies) + * Releasing open source code or projects + * Contributing upstream to open source projects + * Sponsoring open source projects, events or foundations + * Allowing employees to contribute to non-work-related open source projects in their personal time + 6. Does your organization have a management initiative or program (either formal or informal) around open source? + * Yes + * No, but planning one + * No >ROUTING: "Yes" goes to Part 2; "No, but planning one" goes to Part 3; "No" goes to Part 4 ## Part 2 ### Part 2a: Have Open Source Program 7. What are the primary responsibilities of the open source program? (Check all that apply) -* Owning and overseeing the execution of open source strategy -* Clearly communicating the open source strategy within and outside the company -* Facilitating the effective use of open source in commercial products and services -* Ensuring high-quality and frequent releases of code to open source communities -* Engaging with developer communities so the company contributes back to other projects effectively -* Fostering an open source culture within an organization -* Maintaining open source license compliance reviews and oversight -* Launching new open source projects -* Selecting and/or setting up infrastructure and tooling for open source use, contribution and creation -* Developing and delivering open source training, resources and documentation -* Other (please explain) + * Owning and overseeing the execution of open source strategy + * Clearly communicating the open source strategy within and outside the company + * Facilitating the effective use of open source in commercial products and services + * Ensuring high-quality and frequent releases of code to open source communities + * Engaging with developer communities so the company contributes back to other projects effectively + * Fostering an open source culture within an organization + * Maintaining open source license compliance reviews and oversight + * Launching new open source projects + * Selecting and/or setting up infrastructure and tooling for open source use, contribution and creation + * Developing and delivering open source training, resources and documentation + * Other (please explain) 8. Is the program or initiative formally structured with dedicated person-hours, reporting structure and/or job titles? * Yes @@ -95,441 +95,441 @@ If you have questions regarding this survey, please email us at research@linuxfo >ROUTING: "Yes" goes to Part 2b; "No" and "Don't know" go to Part 2c ### Part 2b: Employees in formal programs 9. How many employees are part of your open source program? -* 0 (no dedicated staff yet) -* 1 -* 2-4 -* 5-9 -* 10+ -* Don't know + * 0 (no dedicated staff yet) + * 1 + * 2-4 + * 5-9 + * 10+ + * Don't know ### Part 2c 10. Where is the open source program or initiative located within the organization? If the effort is informal, answer based on who the primary organizers report to. -* Legal -* Software engineering and development -* IT -* Office of the CTO -* Developer relations, marketing or communications -* Security, compliance or risk management -* Don't know -* Other (please specify) + * Legal + * Software engineering and development + * IT + * Office of the CTO + * Developer relations, marketing or communications + * Security, compliance or risk management + * Don't know + * Other (please specify) 11. What percentage of your open source program’s time is spent collaborating with the following departments? (Total can equal more than 100%) >{< 20% 21-40% 41-60% 61-80% > 80% Don't know} -* Engineering -* IT -* Legal -* Security -* Upstream open source projects -* Other (please specify) + * Engineering + * IT + * Legal + * Security + * Upstream open source projects + * Other (please specify) 12. What is your role in the open source program? -* Executive leadership or oversight (program manager reports to me) -* Program manager -* Legal compliance -* Engineering compliance -* Security -* Developer relations, advocacy and evangelism -* Open source developer or engineer (reporting to the open source office) -* Committee member -* No formal role -* Other (please specify) + * Executive leadership or oversight (program manager reports to me) + * Program manager + * Legal compliance + * Engineering compliance + * Security + * Developer relations, advocacy and evangelism + * Open source developer or engineer (reporting to the open source office) + * Committee member + * No formal role + * Other (please specify) 13. In light of recent macroeconomic conditions, what is the likelihood that funding for your company's open source initiatives will increase or decrease in the upcoming fiscal year? -* Very likely to increase -* Somewhat likely to increase -* Neutral -* Somewhat likely to decrease -* Very likely to decrease -* Don't know + * Very likely to increase + * Somewhat likely to increase + * Neutral + * Somewhat likely to decrease + * Very likely to decrease + * Don't know 14. How long ago was the program established? -* 0-2 years -* 3-5 years -* 6-10 years -* More than 10 years -* Don't know + * 0-2 years + * 3-5 years + * 6-10 years + * More than 10 years + * Don't know 15. What are the areas where your company has most benefited from the open source program? (Check all that apply) -* Increased developer recruitment and retention -* Increased speed and agility in the development cycle -* Better license compliance -* Lower licensing fees -* Lower support costs -* More influence in open source communities -* Increased contributions to in-house open source projects from external or third-party contributors -* More awareness of open source use and commercial dependencies -* Increased market adoption of open source projects -* Increased participation in external open source projects -* Faster time to market with new products -* Increased innovation -* Culture change, with improved interaction among departments -* Better security testing and vulnerability management -* Other (please specify) + * Increased developer recruitment and retention + * Increased speed and agility in the development cycle + * Better license compliance + * Lower licensing fees + * Lower support costs + * More influence in open source communities + * Increased contributions to in-house open source projects from external or third-party contributors + * More awareness of open source use and commercial dependencies + * Increased market adoption of open source projects + * Increased participation in external open source projects + * Faster time to market with new products + * Increased innovation + * Culture change, with improved interaction among departments + * Better security testing and vulnerability management + * Other (please specify) 16. What are the ways your open source program quantifies success? (Check all that apply) -* Fewer license violations -* Faster compliance process -* Volume of upstream code contributions -* Number of open source projects initiated -* Number of contributors -* Market adoption or use of projects -* Developer velocity, efficiency, and/or productivity -* Developer hiring and onboarding -* Reach in open source communities -* Frequency of dependency updates -* Mean time to detect vulnerabilities -* Time to market with new products -* Project code quality -* Cost savings -* Other (please specify) + * Fewer license violations + * Faster compliance process + * Volume of upstream code contributions + * Number of open source projects initiated + * Number of contributors + * Market adoption or use of projects + * Developer velocity, efficiency, and/or productivity + * Developer hiring and onboarding + * Reach in open source communities + * Frequency of dependency updates + * Mean time to detect vulnerabilities + * Time to market with new products + * Project code quality + * Cost savings + * Other (please specify) 17. What are the top three challenges your open source program faces? (Choose three) -* Finding and recruiting open source developers -* Ability to influence open source projects -* Executive awareness and support -* Insufficient budget, program costs -* Internal awareness of the program -* External awareness (marketing and communications) -* License compliance overhead -* Getting teams on board with compliance and security approaches -* Vulnerability monitoring and remediation -* Tracking metrics and performance -* Tool selection and adoption + * Finding and recruiting open source developers + * Ability to influence open source projects + * Executive awareness and support + * Insufficient budget, program costs + * Internal awareness of the program + * External awareness (marketing and communications) + * License compliance overhead + * Getting teams on board with compliance and security approaches + * Vulnerability monitoring and remediation + * Tracking metrics and performance + * Tool selection and adoption 18. On a scale of 1-5, how business-critical is your open source program to the success of your engineering or product teams? (1= extremely critical, 5 = not at all critical) -* 1 – Extremely critical -* 2 – Very critical -* 3 – Somewhat critical -* 4 – Not so critical -* 5 – Not at all critical + * 1 – Extremely critical + * 2 – Very critical + * 3 – Somewhat critical + * 4 – Not so critical + * 5 – Not at all critical 19. Does your organization use its open source program office as a way to further its strategic relationships and build partnerships? -* Yes -* No -* Don't know + * Yes + * No + * Don't know 20. Has the open source program had a positive impact on your company's software practices? -* Yes -* No -* Don't know + * Yes + * No + * Don't know >ROUTING: "Yes" goes to Part 2d; "No" and "Don't know" go to Part 5 ### Part 2d: Have Program - yes, specific impact 21. If yes, please provide one or two specific examples. -* Example 1 -* Example 2 + * Example 1 + * Example 2 >Routing: go to Part 5a ## Part 3: Planning an Open Source Program 22. When does your company plan to start a program? -* In the next 6 months -* In the next year -* 1-2 years from now -* Over 2 years from now + * In the next 6 months + * In the next year + * 1-2 years from now + * Over 2 years from now 23. Will the program or initiative be formally structured with dedicated person-hours, reporting structure and/or job titles? -* Yes -* No -* Don't know + * Yes + * No + * Don't know 24. Where will the open source program or initiative be located within the organization? If the effort is informal, answer based on who the primary organizers will report to. -* Legal -* Software engineering and development -* IT -* Office of the CTO -* Developer relations, marketing or communications -* Security, compliance or risk management -* Don't know -* Other (please specify) + * Legal + * Software engineering and development + * IT + * Office of the CTO + * Developer relations, marketing or communications + * Security, compliance or risk management + * Don't know + * Other (please specify) 25. What does your company aim to accomplish by starting an open source program? (Check all that apply) -* Increased developer recruitment and retention -* Increased speed and agility in development cycle -* Better license compliance -* Lower licensing fees -* Lower support costs -* More influence in open source communities -* Increased contributions to in-house open source projects from external or third-party contributors -* More awareness of open source use and commercial dependencies -* Increased market adoption of open source projects -* Increased participation in external open source projects -* Faster time to market with new products -* Increased innovation -* Culture change, improving interaction among departments -* Better security testing and vulnerability management -* Other (please specify) + * Increased developer recruitment and retention + * Increased speed and agility in development cycle + * Better license compliance + * Lower licensing fees + * Lower support costs + * More influence in open source communities + * Increased contributions to in-house open source projects from external or third-party contributors + * More awareness of open source use and commercial dependencies + * Increased market adoption of open source projects + * Increased participation in external open source projects + * Faster time to market with new products + * Increased innovation + * Culture change, improving interaction among departments + * Better security testing and vulnerability management + * Other (please specify) 26. What have been the top three biggest challenges in establishing an open source program? (Choose three) -* Developing an open source strategy -* Finding an open source program manager -* Finding legal staff with open source expertise -* Setting an open source policy -* Getting executive support and buy-in -* Getting engineering support and buy-in -* Setting a budget and estimating program costs -* Assessing or quantifying existing open source use and contribution -* Resources required to perform license compliance -* Finding commercial dependencies -* Tool selection -* Other (please specify) + * Developing an open source strategy + * Finding an open source program manager + * Finding legal staff with open source expertise + * Setting an open source policy + * Getting executive support and buy-in + * Getting engineering support and buy-in + * Setting a budget and estimating program costs + * Assessing or quantifying existing open source use and contribution + * Resources required to perform license compliance + * Finding commercial dependencies + * Tool selection + * Other (please specify) >Routing: go to Part 5a ## Part 4 ### Part 4a: Do Not Have an Open Source Program 27. Why doesn’t your company have an open source program? (Check all that apply) -* Used to have one, but it ended -* Have never heard of an open source program -* Haven’t considered it -* Don’t use or participate in open source -* Organization is too small to need one -* Organization’s open source use and participation is too small to need one -* Don’t see the business value -* Don’t want to regulate or standardize open source practices -* Time or resource constraints -* Want one but can’t justify it -* Other (please specify) + * Used to have one, but it ended + * Have never heard of an open source program + * Haven’t considered it + * Don’t use or participate in open source + * Organization is too small to need one + * Organization’s open source use and participation is too small to need one + * Don’t see the business value + * Don’t want to regulate or standardize open source practices + * Time or resource constraints + * Want one but can’t justify it + * Other (please specify) 28. Would your company benefit from an open source program? -* Yes -* No -* Unknown + * Yes + * No + * Unknown >Routing: "Yes" goes to Part 4b, "No" goes to Part 4c ## Part 4b: Not Using - Yes, employer would benefit 29. How would you approach creating an open source program within your organization? -* {open ended} + * {open ended} 30. What are the top three ways your company would benefit from an open source program? (Choose three) -* Increased developer recruitment and retention -* Increased speed and agility in development cycle -* Better license compliance -* Lower licensing fees -* Lower support costs -* More influence in open source communities -* Increased contributions to in-house open source projects from external or third-party contributors -* More awareness of open source use and commercial dependencies -* Increased market adoption of open source projects -* Increased participation in external open source projects -* Faster time to market with new products -* Increased innovation -* Culture change, with improved interaction among departments -* Better security testing and vulnerability management -* Other (please specify) + * Increased developer recruitment and retention + * Increased speed and agility in development cycle + * Better license compliance + * Lower licensing fees + * Lower support costs + * More influence in open source communities + * Increased contributions to in-house open source projects from external or third-party contributors + * More awareness of open source use and commercial dependencies + * Increased market adoption of open source projects + * Increased participation in external open source projects + * Faster time to market with new products + * Increased innovation + * Culture change, with improved interaction among departments + * Better security testing and vulnerability management + * Other (please specify) >Routing: go to Part 5a ### Part 4c: Not Using - No, employer would not benefit 31. Why not? -* Used to have one, but it ended -* Have never heard of an open source program -* Haven’t considered it -* Don’t use or participate in open source -* Organization is too small to need one -* Organization's open source use and participation is too small to need one -* Don’t see the business value -* Don’t want to regulate or standardize open source practices -* I don’t know -* Other (please specify) + * Used to have one, but it ended + * Have never heard of an open source program + * Haven’t considered it + * Don’t use or participate in open source + * Organization is too small to need one + * Organization's open source use and participation is too small to need one + * Don’t see the business value + * Don’t want to regulate or standardize open source practices + * I don’t know + * Other (please specify) >Routing: go to Part 5a ## Part 5 ### Part 5a: Value of Companies and Foundations 32. "The following list represents a range of large companies that participate in open source communities. To what degree do you perceive each of them to be “good open source community citizens” in terms of contributions, collaboration and leadership on open source projects and initiatives within the open source ecosystem?" >{Excellent Above Average Average Below Average Very Poor Don't know} -* AWS -* Comcast -* Facebook -* Google -* IBM -* Microsoft -* Red Hat -* SAP -* Uber -* Verizon -* VMware + * AWS + * Comcast + * Facebook + * Google + * IBM + * Microsoft + * Red Hat + * SAP + * Uber + * Verizon + * VMware 33. Excluding the aforementioned companies, please nominate up to three technology or software companies that exemplify good open source community citizenship in terms of contributions, collaboration and leadership on projects and initiatives within the open source ecosystems? -* Nomination 1 -* Nomination 2 -* Nomination 3 + * Nomination 1 + * Nomination 2 + * Nomination 3 34. Excluding the aforementioned companies, please nominate up to three non-technology or software companies – so-called end users – that exemplify good open source community citizenship in terms of contributions, collaboration and leadership on projects and initiatives within the open source ecosystems? -* Nomination 1 -* Nomination 2 -* Nomination 3 + * Nomination 1 + * Nomination 2 + * Nomination 3 35. To what degree does a company’s participation in, and contributions to, the open source community influence your organization’s buying decisions? -* Extremely influential -* Very influential -* Moderately influential -* Slightly influential -* Not at all influential -* Don't know + * Extremely influential + * Very influential + * Moderately influential + * Slightly influential + * Not at all influential + * Don't know 36. In the last five years, has anyone in your organization included participation in open source ecosystems as criteria for the following? {Yes No Don’t know} -* Review or audit of software and IT vendor contracts -* Decision to select a new vendor, supplier or partner -* Decision to discontinue a relationship with an existing vendor supplier or partner + * Review or audit of software and IT vendor contracts + * Decision to select a new vendor, supplier or partner + * Decision to discontinue a relationship with an existing vendor supplier or partner 37. If your organization has assessed vendor, supplier or partner participation in open source ecosystems, what were the criteria or metrics used to evaluate performance? What would you tell your peers seeking to conduct similar evaluations? -* Open-ended comments + * Open-ended comments ### Part 5b: Foundation Value 38. Is your company a member or sponsor of an open source foundation(s)? (e.g., The Linux Foundation, The Apache Foundation, Eclipse Foundation, OpenJS Foundation) -* Yes -* No -* Don't know + * Yes + * No + * Don't know >Routing: "Yes" goes Part 5b; "No" and "Don't know" skip to Part 6. ### Part 5c: Foundation Value Follow-up 39. How valuable is the support and return on your investment you have received from these open source foundations? -* Extremely high value -* High value -* Average value -* Low value -* Extremely low value -* Don't know + * Extremely high value + * High value + * Average value + * Low value + * Extremely low value + * Don't know ## Part 6: Metrics for Everybody 40. How many open source projects does your company maintain? -* 0 -* 1-10 -* 11-50 -* 51-100 -* 101-1,000 -* More than 1,000 -* Don't know + * 0 + * 1-10 + * 11-50 + * 51-100 + * 101-1,000 + * More than 1,000 + * Don't know 41. How many developers (full time or part time) in your organization contribute to open source projects you depend on? -* 0 -* 1-5 -* 6-10 -* 11-100 -* More than 100 -* Don't know + * 0 + * 1-5 + * 6-10 + * 11-100 + * More than 100 + * Don't know 42. How often does your average application development team release code into production? -* Hourly -* Daily -* Weekly -* Monthly -* Quarterly -* Annually -* Don’t know + * Hourly + * Daily + * Weekly + * Monthly + * Quarterly + * Annually + * Don’t know ## Part 7: Licensing, Compliance and Repos 43. Does your company require a Contributor License Agreement (CLA) for external contributions to your open source projects? -* Yes -* No -* Don't know + * Yes + * No + * Don't know 44. What is the preferred license for your company's open source projects? -* MIT -* BSD 2-clause -* BSD 3-clause -* Apache 2.0 -* GPLv2 -* GPLv3 -* LGPL -* AGPL -* No preference -* Don't know -* Other (please specify) + * MIT + * BSD 2-clause + * BSD 3-clause + * Apache 2.0 + * GPLv2 + * GPLv3 + * LGPL + * AGPL + * No preference + * Don't know + * Other (please specify) 45. Which of the following tools and methodologies does your organization utilize for open source compliance? -* ClearlyDefined -* Debricked -* FOSSA -* FOSSology -* GitHub -* GitLab -* JFrog -* OpenChain -* OSS Review Toolkit -* Revenera -* Snyk -* Sonatype -* SPDX Tools -* Synopsys -* Tern -* Veracode -* WhiteHat Security -* WhiteSource -* We utilize a homegrown tool or methodology for open source compliance -* We do not utilize a tool or methodology for open source compliance -* Other (please specify) + * ClearlyDefined + * Debricked + * FOSSA + * FOSSology + * GitHub + * GitLab + * JFrog + * OpenChain + * OSS Review Toolkit + * Revenera + * Snyk + * Sonatype + * SPDX Tools + * Synopsys + * Tern + * Veracode + * WhiteHat Security + * WhiteSource + * We utilize a homegrown tool or methodology for open source compliance + * We do not utilize a tool or methodology for open source compliance + * Other (please specify) 46. Does the information security function within your organization access data from software composition analysis tools that are used for automated open source compliance? -* Yes -* No -* Don't know + * Yes + * No + * Don't know 47. What kinds of tools does your company use to manage open source code repositories? (Check all that apply) -* GitHub paid version -* GitLab paid version -* Other vendor’s paid version (e.g., Bitbucket) -* Free version of a vendor solution -* Homegrown solution -* Other (please specify) + * GitHub paid version + * GitLab paid version + * Other vendor’s paid version (e.g., Bitbucket) + * Free version of a vendor solution + * Homegrown solution + * Other (please specify) ## Part 8: Audience 48. Which technology area does your company focus its open source activities on? (Check all that apply) -* AI, ML, Data & Analytics -* Blockchain -* CI/CD & Site Reliability -* Cloud -* Containers & Virtualization -* DevOps -* IoT & Embedded -* Networking & Edge -* Open Hardware -* Safety-Critical Systems -* Security -* Storage -* System Administration -* Web & Application Development -* Other (please specify) + * AI, ML, Data & Analytics + * Blockchain + * CI/CD & Site Reliability + * Cloud + * Containers & Virtualization + * DevOps + * IoT & Embedded + * Networking & Edge + * Open Hardware + * Safety-Critical Systems + * Security + * Storage + * System Administration + * Web & Application Development + * Other (please specify) 49. Which category most closely defines your role? -* Developer or software engineer -* Other IT -* Community manager or developer advocate -* IT management, including CIO, CISO, CTO -* C-level (non-technology) management -* Marketing / PR -* Other + * Developer or software engineer + * Other IT + * Community manager or developer advocate + * IT management, including CIO, CISO, CTO + * C-level (non-technology) management + * Marketing / PR + * Other 50. What industry vertical is your company in? -* Defense -* _Education_ --- University --- For-profit services --- Other -* Financial services -* Healthcare -* Insurance -* Manufacturing and raw materials -* _Public Sector_ --- Local government --- National government --- International organization --- Non-governmental organization -* Retail -* Technology (software or IT) -* Telecom, communications or media -* Transportation and automotive -* Utilities -* Other + * Defense + * _Education_ + -- University + -- For-profit services + -- Other + * Financial services + * Healthcare + * Insurance + * Manufacturing and raw materials + * _Public Sector_ + -- Local government + -- National government + -- International organization + -- Non-governmental organization + * Retail + * Technology (software or IT) + * Telecom, communications or media + * Transportation and automotive + * Utilities + * Other 51. What is the name of your organization? (This information will not be published) -* Name of Company / Organization / Institution + * Name of Company / Organization / Institution 52. If you are interested in participating in an in-depth interview, please provide us with your name, email address, and the name of your organization. -* Name -* Organization -* Email address + * Name + * Organization + * Email address