Fuel the Future of Open Source
Grab your slice of our $20 million Open Source Sustainability Fund

Funding Maintainers.
Backed by Experience.
We’ve written patches for unmaintained codebases, tracked down vulnerabilities where no one else was looking, and kept critical systems running safely without rushed rewrites. This fund builds on that work, so maintainers can keep doing what they do best, with real backing behind them.
Our Criteria and Commitment
Our program criteria focuses on ecosystem hygiene and security to guide and support open-source best practices. We partner with teams to help them meet these standards and provide funding to further strengthen and sustain their impact in the open-source community.
Releases & Versioning
Use predictable, documented versioning (SemVer/PEP 440), announce new releases through all official channels, and clearly mark CVE-related fixes.
Communication & Transparency
Clearly state which versions are supported, deprecated, or EOL, and provide advance notice of changes with timelines appropriate to project size.
Documentation
Define deprecation policies, tag deprecated versions, specify support timelines, and indicate when versions will be entirely removed.
Support & Deprecation Handling
Provide clear adoption/removal timelines, backport critical fixes to LTS only, keep deprecations non-breaking, and surface warnings in changelogs and runtime.
Processes & Tiers
Maintain clear processes for reporting issues and security concerns, define support tiers (Current, LTS, EOL), and encourage migration or alternate support solutions when versions reach EOL.
Select to view by criteria:
Version End-of-Life
- Community is notified of a release when it occurs.
- Should be communicated via all official channels (X/Twitter, GitHub Repo, Website docs, etc).
- Clear definition of what happens when a new version is released.
- Defines impact of major, minor, or patch release.
- When a new version is released, the community knows the up-to-date support status of previous releases.
- Releases that address CVEs are identified as such
- Inform community as to whether or not backport patches mitigate known vulnerabilities.
- It is recommended a project uses an industry standard versioning (eg Semantic Versioning or for PyPi packages, PEP 440).
- If project is not currently following SemVer, versioning structure is predictable, intuitive, and documented for the community.
- Documentation clearly dictates which versions are end-of-life versus supported.
- Announcing releases
- Many small project tend to release a new major version with little to no warning, immediately drop support for older majors; Larger projects tend to forecast new release lines in advance and explicitly indicate a long-term support period for the now-previous release line.
- Announcements for EOL events are made in a timely manner.
- Benchmark timeframes to consider:
- Widely adopted foundational libraries/frameworks: 12-18 months
- Moderately adopted projects (10k+ users): 6-12 months
- Small and/or niche projects: 3-6 months
- If applicable, there is a support period for now-previous release lines to allow time for transitioning or migration.
- Benchmark timeframes to consider:
- End of life events are posted to the official channels of the project.
Deprecation
- There is a definition of deprecation
- How it is treated
- If it receives bug fixes / patches
- How vulnerabilities affect these versions
- Tagging is used in all official documents to notate versions that have been deprecated.
- When a new version release occurs that impacts the status of a prior version, there is documentation about which version(s) become deprecated and/or end of life.
- A time frame is specifically mentioned as to when a deprecated version will be removed completely and/or will no longer be supported at all.
- If applicable, project will leverage ecosystem-specific tools to report deprecations.
- There is a recommended timeline for the community to follow for:
- Adoption of new features, and
- Removal of deprecated features.
- There is structure for support of deprecated features. Example:
- Introduced in minor releases
- Removed in next major release
- Critical vulnerabilities are backported in LTS only.
- Deprecations must be non-breaking.
- Runtime warnings are added into logs / console while being used.
- Deprecation events show in change logs and release notes.
Support Policies
- There is a process in place for the community to report issues.
- There is a process in place to respond to reported issues.
- There is a process in place to report security violations.
- Define version support tiers so that it is clear to the community.
- Example 1:
- Current: Full security vulnerabilities and bug support.
- LTS: Security vulnerabilities only.
- EOL: If critical, security vulnerabilities.
- Example 2
- Latest (or Supported)
- Unsupported
- Example 1:
- It is clear via documentation to developers which versions are supported versus unsupported.
- Expectations are set as to which versions are recommended for use by developers (supported) versus which are intended as pre-release or development versions.
- When a version goes EOL, users are encouraged to either migrate OR establish a support solution of migration is currently not an option
- Note: This may be through HeroDevs services so that migration timelines may be established or identified remaining supported on older versions.
Frequently Asked Questions
Of course, if you can't find the answer you're looking for, feel free to contact us.
We’ve started the Open Source Sustainability Fund with the idea that keeping open source healthy and sustainable is essential for the community’s success, from maintainer to user. The Fund provides support to open source software by not only encouraging the implementation of best practices, but also giving back to the community to fuel continual work on open source projects.
- You are a maintainer of open-source projects under an OSI-approved license.
- Versions of your project are approaching or are already past official EOL.
- You’re ready to keep users secure, compliant, and CVE-free!
You can submit an application here.
When you apply, a member of our team will reach out and let you know your application is received and under review. If approved, we will contact you to begin the process of criteria review and implementation of best practices.
Grants range from $2,500 to $15,000.
The program has a set of criteria that outlines best practices for safe and effective ecosystem hygiene. Once accepted into the program, the project will receive a Best Practices Form, a self-service activity that allows maintainers to showcase practices already implemented, and receive guidance on how to make changes to improve their ecosystems to align with best practices.
Absolutely! HeroDevs is here to help you every step of the way. We want maintainers to be successful while they continue to provide their users with the software they need. We welcome any and all questions or requests for support throughout the program and beyond.
HeroDevs does offer other types of partnerships that focus solely on versions that have gone end-of-life. If you are interested in partnerships outside of the Fund, please contact us to learn more!