Frequently Asked Questions

General
Funding
Security
People

General

Will the CommunityBridge code be open source?

With the public release today, we also wanted to update everyone on the open source plans for the software itself. We are currently cleaning up the code, enhancing documentation and getting ready to open source the codebase so that it will be easier for developers to learn the code and contribute. We are a nonprofit and don’t have an army of developers so it will take a bit more time. We’re also working on soliciting feedback from developers about our plans for the license, code upstreaming model, and code of conduct. In particular we are seeking to align the licensing structure with free software principles. We will open source the codebase with the next release targeted for early Q3.

What is CommunityBridge?

CommunityBridge is a platform created by the Linux Foundation to empower developers — and the individuals and organizations who support them — to advance open source sustainability, security, and diversity CommunityBridge brings together project maintainers, contributors, and users to fund open source projects, improve code security, boost the size and diversity of open source communities, and much more.

Why was CommunityBridge created?

Open source powers more than 80% of the technology we all use every day, yet many of the world’s most critical developers and open source projects face barriers to growing and sustaining their communities, ranging from challenges with generating funding to improving security to advancing developers’ ability to further excel and contribute.

Ensuring open source communities have the resources needed to secure and maintain their code, grow their communities, and advance these technologies is critical. CommunityBridge will help address these issues by:

  • Improving the sustainability of open source by putting more money into the hands of developers;
  • Nurturing new contributors and increasing diversity in open source communities by creating on-ramps for open source talent; and
  • Improving security best practices in open source development and providing visibility into specific dependencies and vulnerabilities that projects rely upon.

What services does CommunityBridge provide?

Throughout 2019 and 2020, the Linux Foundation will unveil a full suite of CommunityBridge services and tools designed to support maintainers, contributors, aspiring developers, and organizations that create and depend on open source software.

The initial services available at launch include:

  • CommunityBridge Funding: A crowdfunding service to raise money via donations from individuals and corporations so projects can pay maintainers and developers directly for their development efforts or project expenses. Features include fund matching, best practice badges, and diversity and civility promotions.
  • CommunityBridge Security: A project scanning service to provide maintainers with relevant information about upstream dependencies, security vulnerabilities, usage reports, and licensing details. Includes a bug bounty service to provide replicable defects as well as a backlog of actionable data that maintainers can easily use to improve the security and robustness of their projects.
  • CommunityBridge People: A mentorship matchmaking service that helps grow interested individuals into participating contributors in open source communities. It connects mentorship candidates with projects; mentees with mentors; projects with donors to provide mentorship stipends; and mentorship graduates with potential job opportunities.

Who can access CommunityBridge?

CommunityBridge is open to the public. Anyone can view the public dashboards for open source projects on CommunityBridge, apply to participate as a mentor or mentee, or donate funds to a project. Maintainers of open source projects that have made an impact on the world can apply to run crowdfunding campaigns or mentorship programs through CommunityBridge.

Is there a cost to host my project on CommunityBridge?

CommunityBridge is free for open source projects. No fees of any kind are assessed to open source projects on the platform.

Is there a cost to donors?

No fees of any kind will be charged for the first $10M USD raised through CommunityBridge; the Linux Foundation will underwrite the platform fees and payment processor fees for these donations. Every dollar of the first $10M raised will be available to the projects hosted on CommunityBridge for their use. Once the $10M milestone has been reached, contributions from individual and corporate donors will be subject to a 5% platform fee plus a payment processor fee.

How do I submit my project to CommunityBridge?

Simply login with your Google, GitHub, or Linux Foundation ID and follow the step-by-step guide. The application process takes just a few minutes, but please note that only project maintainers and/or collaborators with administrative control can submit a project to CommunityBridge to be reviewed for inclusion.

Can I add other maintainers on my project?

At this time, CommunityBridge supports one maintainer per project who serves as the admin of that project within the platform.

How are CommunityBridge projects selected?

Inclusion of an open source project on CommunityBridge will be subject to the review and approval of the Linux Foundation. Among others, relevant considerations may include confirmation that the project is entirely an open source project; that it has sufficient indicia of broad community usage; and that it is aligned to the Linux Foundation’s purposes for the support of open source projects.

Funding

What are the benefits to hosting my project on CommunityBridge Funding?

CommunityBridge Funding enables a simple, managed process for your open source project to raise funds from donors and to reimburse for project expenses. CommunityBridge Funding is free for open source projects, and every dollar of the first $10M raised through CommunityBridge Funding will be passed directly to the projects hosted on CommunityBridge, resulting in more money to support critical work on your project.

Projects listed on CommunityBridge Funding also receive free daily scans via the CommunityBridge Security service in order to detect vulnerabilities in code repositories as well as library dependencies. Additionally, funds raised via CommunityBridge Funding can be applied towards mentorship programs via the CommunityBridge People service.

Are donors charged fees for donations to a project on CommunityBridge?

For the first $10M USD donated to projects through CommunityBridge Funding, the Linux Foundation will underwrite all platform fees as well as any fees charged by third-party payment processors. Every dollar of the first $10M raised through CommunityBridge Funding will be available to the projects hosted on CommunityBridge for their use. Once the $10M milestone has been reached, contributions from individual and corporate donors will be subject to a 5% platform fee plus a payment processor fee.

Does CommunityBridge require access to my code repository?

Yes, access to your code repository is required to support security vulnerability scanning by CommunityBridge Security. During the project onboarding process you’ll be required to authenticate with your GitHub ID to give CommunityBridge read-only access to the list of repositories that you maintain. Support for additional Git repository hosting platforms is coming soon.

Can I set my own fundraising goals, or does CommunityBridge set goals for me?

Project maintainers can set their own project fundraising goals. The project onboarding guide makes it easy to set goals and allocate percentages of that goal towards different options, like development, marketing, meetups, and travel. Project maintainers have the ability to adjust goals and allocations at any time.

What happens when a fundraising goal is reached?

Goals are guidelines, not hard stops, so you’ll be able to continue raising money beyond your goals. In addition, as you see progress in one or more areas, you can (and should) update them to reflect how you plan to utilize these additional funds.

How do projects review, allocate, and spend donated funds?

All expense reporting, approval, and reimbursement is currently handled via a third party application integrated with CommunityBridge. After an expense report or invoice is reimbursed through that application, it is synchronized with CommunityBridge to provide full transparency.

Do donors see how projects allocate and spend donated funds?

Yes, donors can see how funds are allocated and spent via a project’s public ledger. The Linux Foundation reviews, administers, and processes all requests for expenditures to ensure oversight for use of donated funds. This is done with full transparency so companies can see how donated funds are allocated.

Who decides whether a particular use of funds aligns with a donor's allocation?

Donors can suggest how they would like their funds to be used by selecting one of the project’s current goals at the time the donation is made, but project maintainers may use funds according to allocations other than what the donor has requested.

Can a donor object to a particular use of funds by a project?

No, after a donor has made their donation, they cannot later object to a project’s use of it. Prospective donors can review the project’s open ledger to see how it has previously used funds, as part of determining whether to donate to that project.

Do donors receive refunds if a project changes its goals or doesn’t allocate funds to specified goals?

No, donors cannot receive refunds or object to a project’s use of allocated funds. CommunityBridge provides a transparent and open ledger to provide visibility into expenditures and to help ensure donated funds are not abused.

Security

What is CommunityBridge Security?

CommunityBridge Security is a service that helps open source developers identify and remediate security vulnerabilities in order to create more secure code. Projects that are part of the CommunityBridge Funding service receive free daily scans via the CommunityBridge Security service in order to detect vulnerabilities in code repositories as well as library dependencies. A public dashboard gives developers visibility into open security issues and paths to remediation.

Does CommunityBridge automatically scan my project’s code?

Yes, if your project is set up on CommunityBridge Funding, then CommunityBridge Security automatically scans your code on a daily basis, and adds any detected vulnerabilities to your project dashboards. Issues are classified as high, medium, or low risk. An inventory of your project’s detected dependencies and licenses is mapped along with the dependency details.

What languages and programming ecosystems are supported for scanning?

Dependency and vulnerability scanning is currently supported for JavaScript, Node.js (npm), Java, Scala, Ruby, Python, Golang, .NET, and PHP. Static code analysis is supported for C and C++.

How are licenses identified?

CommunityBridge Security uses Snyk to scan a project’s Git-based repository and identifies dependencies’ licenses against the SPDX license list. License identification varies by ecosystem, but generally is produced via a combination of the stated license on the package, retrieving metadata from the registry, and detecting license information in manifest files.

What partners support the CommunityBridge Security service?

For CommunityBridge Security we are partnering with a few solutions providers where it makes sense. For example, projects can choose to allocate funds raised through the CommunityBridge Funding service to administer bug bounty programs through a partnership with HackerOne. Snyk provides daily vulnerability scanning for all projects on CommunityBridge (Funding and People) to identify vulnerabilities and dependencies — and to help manage IP risk with license verification. By working with source{d}, the CommunityBridge platform will have static code analysis to identify vulnerabilities and bugs in code without dependencies.

How does CommunityBridge help a project manage its intellectual property obligations?

First, CommunityBridge automatically provides all projects using CommunityBridge Security with access to dependency license scans. CommunityBridge provides a project and its maintainers with visibility into the full tree of direct and indirect third-party dependencies that Snyk detects as leveraged by the project, along with reporting the licenses Snyk associates with those dependencies. This reporting gives maintainers with a simple, lightweight and zero-effort view into the array of third-party licenses that their project relies upon. It helps enable projects to make determinations about whether to avoid particular dependencies — for example, if their licenses might be incompatible with the project’s own license, IP policies and community objectives. It also helps projects identify their compliance obligations for the dependencies they use — for example, which license notices they need to reproduce when they distribute those dependencies.

Second, the Linux Foundation’s new CLA service tackles the difficult problem of ensuring that Contributor License Agreements are utilized appropriately by projects that require them. The new CLA service handles corporate authority considerations by requiring corporate CLAs to be signed by an authorized signatory of a company. It enables companies to control which of their employees are authorized to contribute to which projects under the signed CLAs. Depending on their own needs and processes, companies can take a fine-grained approach by specifying individual authorized contributors’ email addresses, or can easily authorize all employees across a domain name. The CLA service facilitates all these workflows and ensures that code contributions can only be accepted after the contributor satisfies the CLA requirements. Although the CLA service is initially available to Linux Foundation-hosted projects, we hope to make it available to a broader set of projects, including those on CommunityBridge.

People

What is CommunityBridge People?

CommunityBridge People is a service for connecting mentees with mentors to increase diversity and inclusion and inject new talent into open source communities. Each open source project participating in CommunityBridge People is responsible for developing the structure and guidelines for their own mentorship program, including identifying mentors and mentees, outlining tasks for mentees, and determining stipends and/or other incentives for participants.

How long do mentorship programs last?

Each project decides the duration of its mentorship programs, but most start at 12 weeks. Projects often offer opportunities for part-time and full-time mentorships. For example, the Linux Kernel Mentorship Program includes both full-time and part-time volunteer mentee positions each year.

How does diversity grant matching from the Linux Foundation work?

To encourage participation and support diversity initiatives, the Linux Foundation is offering $3,000 USD matching project stipends for the first 100 candidates selected for diversity mentorships. Diversity grant matching is only available to projects that are participating in CommunityBridge Funding and providing stipends for mentees. Linux Foundation projects participating in only CommunityBridge People are not eligible for matching, with the exception of the Linux Kernel. In order to be considered, candidates must first be accepted into a project’s mentorship program and then apply by emailing mentorship@linuxfoundation.org.

Who can participate?

People looking for professional advancement in open source as well as students are welcome to apply to participate as mentees. Mentors must be approved or invited to participate by that project’s maintainer. All applicants must meet the CommunityBridge People eligibility requirements outlined in the CommunityBridge People Guide.

Do mentees get compensated?

Mentees are not employees of the Linux Foundation or of the project providing the mentorship, so they are not directly paid wages for their participation in the mentorship. However, many projects choose to offer stipends and other incentives to support and encourage mentees to participate. Funding for stipends and other perks is determined solely by each project. The Linux Kernel, for example, will offer a total stipend of $5,500 USD per mentee for the mentorship period, and mentees also receive travel funding to industry conferences to present the work they’ve done during the program.

What happens after I graduate from a mentorship program?

Mentorship program graduates are listed on CommunityBridge. Employers who have opted in can receive referrals for mentee graduates from the mentors who worked with them during the mentorship program. Employers that receive referrals can choose to contact graduates about potential employment opportunities.

Are resumes uploaded by mentors or mentees ever shared with third parties?

Mentee resumes can be shared with mentors during the application process. After successfully completing the mentorship program, mentee resumes can be shared with prospective employers who have registered for the CommunityBridge platform and been approved by the Linux Foundation. Mentee resumes can also be shared with project maintainers and administrators.

What are some of the projects and employers participating in CommunityBridge People?

Open source projects participating in CommunityBridge People include the Linux Kernel, Zephyr, Open Mainframe Project, Jaeger, and Vue.js. Corporate participants include Huawei, Twitter, and Uber.