This study investigates fraud risks associated with monetary incentive mechanisms in Free and Open-Source Software (FOSS) projects and their implications for long-term sustainability. Employing a mixed-methods approach—including systematic literature review, comparative case studies, empirical Sybil attack analysis, and security auditing of the npm ecosystem—the work systematically contrasts the anti-fraud resilience of centralized (Sovereign Tech Fund, STF) versus decentralized (tea project) funding models for the first time. Results indicate that STF’s human-in-the-loop review and multi-dimensional evaluation confer high fraud resistance, whereas the tea project’s reliance on manipulable quantitative repository metrics renders it vulnerable, as empirically confirmed by large-scale Sybil attacks on npm. The study identifies an inherent structural weakness in purely monetary incentives and argues that non-commercial incentives—such as reputation capital and governance rights—are critical complements for enhancing ecosystem resilience. These findings provide both theoretical grounding and practical warnings for designing sustainable FOSS funding mechanisms.

Free and open source software (FOSS) is ubiquitous on modern IT systems, accelerating the speed of software engineering over the past decades. With its increasing importance and historical reliance on uncompensated contributions, questions have been raised regarding the continuous maintenance of FOSS and its implications from a security perspective. In recent years, different funding programs have emerged to provide external incentives to reinforce community FOSS' sustainability. Past research primarily focused on analyses what type of projects have been funded and for what reasons. However, it has neither been considered whether there is a need for such external incentives, nor whether the incentive mechanisms, especially with the development of decentralized approaches, are susceptible to fraud. In this study, we explore the need for funding through a literature review and compare the susceptibility to fraud of centralized and decentralized incentive programs by performing case studies on the Sovereign Tech Fund (STF) and the tea project. We find non-commercial incentives to fill an important gap, ensuring longevity and sustainability of projects. Furthermore, we find the STF to be able to achieve a high resilience against fraud attempts, while tea is highly susceptible to fraud, as evidenced by revelation of an associated sybil attack on npm. Our results imply that special considerations must be taken into account when utilizing quantitative repository metrics regardless whether spoofing is expected.