Modern software runs on open source. In fact, “free” and open source software generates more than $500 billion in annual value in the U.S. alone and an estimated $8.8 trillion in total global value.
For most organizations, “dependency management” means tracking what you use, scanning for known vulnerabilities, and patching when you’re forced to. That work matters—but it mostly addresses what’s visible: direct dependencies, known CVEs, and near-term upgrades.
However, the real risk lives below the surface.
Open source is made up of many complex ecosystems: deep transitive dependency chains, small maintainer teams, uneven review capacity, and critical projects that are “everywhere” but owned by no one. When a project’s human bandwidth collapses – through maintainer burnout, underfunding, or a thin contributor pipeline – security and stability degrade quickly. The result is a recurring pattern the industry knows too well: emergency patch cycles, fragile forks, and “silent” maintenance debt that compounds until it becomes a business outage – sometimes even global disruption.
A practical model: Structured contributor pipelines
Bloomberg has been developing – in partnership with nonprofit foundations that support open source – a mentorship-based approach to open source stewardship that focuses on the key missing ingredient: creating sustained contributor capacity for maintainers and projects.
Instead of one-off patches, we run time-bound cohorts where Bloomberg engineers – including many who have never contributed to open source – spend volunteer hours learning to contribute directly to a project with structured support from experienced open source guides:
- A clear onboarding path (setup, starter issues, contribution norms)
- Weekly office hours with project maintainers and mentors
- A focus on high-leverage maintenance work that maintainers rarely have time for, such as issue triage, tests, docs, small-to-medium fixes, examples, and tooling
We’ve successfully tested this model across multiple cohorts with the pandas project – run in partnership with NumFOCUS and the project’s maintainers – and most recently scaled it through a cross-industry collaboration with NVIDIA. Across all cohorts, two outcomes were consistent: contributors built confidence and capability faster, and maintainers got meaningful relief on the operational load that has typically blocked long-term progress.
The next cohort: OpenTelemetry with CNCF
In Q2 2026, Bloomberg is partnering with the Cloud Native Computing Foundation (CNCF) and the maintainers of OpenTelemetry to run our next Sustaining Open Source mentorship cohort. Our efforts will be focused on OpenTelemetry – the vendor-neutral observability framework underpinning traces, metrics, logs, and increasingly, production reliability across the industry – an open source project that we make great use of at Bloomberg.
Program window: April 8-June 17, 2026
Format: ~2 hours/week per Bloomberg participant, remote-friendly
Mentorship: 7 OpenTelemetry mentors/maintainers supporting office hours and async guidance. Huge thanks to the participating maintainers: Damien Mathieu, Juraci Paixão Kröhling, Kemal Akkoyun, Pierre Tessier, Severin Neumann, Vitor Vasconcellos, and Chengzhong Wu (Bloomberg).
30-45 Bloomberg engineers will participate in this program. They will contribute directly to OpenTelemetry in areas aligned with real community needs, including: instrumentation, Collector components, SDKs, semantic conventions, documentation, and examples. The intent is not to “sponsor a sprint,” but to build a repeatable, low-friction contributor pipeline that strengthens the project’s resilience over time.
Why this matters now
AI is accelerating code creation while increasing review burden (“review tax”) and maintainer load. At the same time, regulators and customers are raising expectations related to supply chain integrity, SBOM completeness, and coordinated vulnerability response. In this environment, the most durable strategy is not purely reactive dependency management – it’s stewardship: investing in the upstream capacity that keeps critical digital infrastructure healthy over the long term.
We’ll share outcomes and learnings with the CNCF community after the cohort wraps up, including what work landed in the project, what contributor pathways proved effective, and what this model suggests for scaling cross-company collaboration in a vendor-neutral way.
If your organization is exploring practical ways to support OpenTelemetry (or other key OSS projects) beyond funding alone, we’d love to compare notes and learn together.
This blog has also been published on the Bloomberg website.