For Individual Projects and Maintainers

You carry the responsibility. We help you shoulder it. #

Open source projects are often maintained by a handful of people — sometimes by a single person. These maintainers carry an enormous responsibility: thousands of companies depend on their work, but there is no budget, no contract, and no support channel. Every bug is their bug. Every vulnerability is their vulnerability.

OTTRIA knows this reality. Our founder is himself a FreeBSD committer with over 1,000 commits. We know what it feels like to keep a project running while the world expects everything to simply work.

What is coming your way #

The new EU laws do not directly target maintainers — but they create enormous indirect pressure:

• DORA obliges financial institutions to conduct "open source analyses" (Art. 25(1) DORA) and to manage all ICT third-party risks (Art. 28(1-3) DORA). This means: banks and insurance companies will approach you — with compliance questionnaires, demands for documented security processes, and expectations regarding response times.
• NIS2 makes the assessment of the security processes of all suppliers a mandatory measure (Art. 21(2)(d) NIS2) — including the open source projects that companies depend on. Critical infrastructure operators will demand evidence from you that you cannot provide.
• Product liability makes software a product subject to liability (Art. 4 Directive 2024/2853). When one of your components causes damage, the manufacturer will point to you — legally questionable, but the pressure comes.
• CRA obliges manufacturers to exercise due diligence when integrating open source components (Art. 13(5) CRA). You will be asked: do you have a security strategy? What is your vulnerability process? How quickly do you respond?

These enquiries come in enterprise language, in enterprise formats, and with enterprise expectations. OTTRIA intercepts this: we are the point of contact for the enterprise world, so you can focus on your code.

How we concretely help #

Hardware and infrastructure #

You need build servers, test machines, or CI/CD pipelines? We provide the infrastructure you need for reliable releases — without you having to seek sponsors.

Code contributions and tests #

We work directly in your project. This means: code reviews, patches, test suites, regression tests, and fuzzing. Not as a one-off action but as ongoing support.

Holiday cover for maintainers #

Maintainers need breaks. Burnout is a real problem in the open source world. When you need time off — whether for two weeks or two months — we ensure your project keeps running. Security updates are applied, critical issues are addressed, releases are conducted as needed.

Bug bounties without your own budget #

Many projects benefit from bug bounty programmes but cannot afford one. OTTRIA funds bug bounties for projects that appear in our clients' SBOMs. When someone responsibly reports a vulnerability in your project, they are rewarded — from our budget, not yours.

Talent development #

Good maintainers do not appear out of nowhere. We support emerging developers and security researchers who want to contribute to open source projects long-term. This means mentoring, training, and the opportunity to gain practical experience in supported projects.

What we protect against #

Burnout #

Expectations of maintainers are high. Companies demand fast fixes, users report bugs without context, and the work is rarely acknowledged. OTTRIA relieves you by taking over part of the operational burden — so you can focus on the work that matters to you.

Project deletion #

When a maintainer gives up and a project is deleted, thousands of companies have a problem. OTTRIA maintains mirrors and forks and can take over maintenance as needed. Your project does not simply disappear.

Licence changes #

More and more projects change their licence, often under the pressure of commercial interests. OTTRIA monitors these developments for supported projects and provides early information when changes are pending that could affect users.

What we do not do #

We do not co-opt your project. We do not fork without reason. We do not impose conditions. Your project remains your project — we are supporters, not owners.

We work transparently and publicly. Every commit, every patch, every review is visible to everyone.

Why we do this #

OTTRIA is paid by companies that need to secure their open source supply chain. Part of this work consists of strengthening the projects these companies depend on. This is not a charity model — it is an economic necessity that benefits all sides.

You benefit from concrete support. Companies benefit from more stable, more secure projects. And the entire ecosystem becomes more resilient.

You maintain an open source project and need support? Write to us — we will find out how we can help.