The simple version
Most of the software that runs the internet was built by unpaid volunteers, and the companies making billions on top of it mostly didn’t pay for it.
How we got here
In 2021, a security researcher found a critical vulnerability in a Java logging library called Log4j. Not an obscure library, either. Log4j was embedded in systems at Apple, Amazon, Microsoft, Cloudflare, and thousands of other companies. The vulnerability, once public, could let attackers execute arbitrary code on affected servers. The scramble to patch it cost enterprises an estimated tens of billions of dollars in engineering time.
The team responsible for Log4j? Mostly volunteers. The library had been maintained for years by a handful of people working in their spare time.
That’s the open source economy in a sentence: companies extract enormous value from software they didn’t build and don’t maintain, while the people who actually build and maintain it run on goodwill and the occasional GitHub sponsor donation.
What ‘free software’ actually costs
The word ‘free’ in open source has always meant freedom, not price. Richard Stallman was explicit about this in the 1980s when he started the GNU project: free as in speech, not free as in beer. But somewhere along the way, the industry decided it meant both.
Open source maintainers don’t just write code once and walk away. They review pull requests, triage bug reports, write documentation, field questions from users who didn’t read the documentation, handle dependency conflicts, track down security vulnerabilities, and do it all while the companies using their software treat them like a free support tier.
Consider what this looks like at scale. The npm ecosystem, which underpins essentially all modern JavaScript development, contains hundreds of thousands of packages. Many of them are maintained by single developers with no institutional backing. The famous example: a package called is-odd (which checks whether a number is odd, nothing more) was downloaded hundreds of millions of times. Its maintainer was one person.
The npm ecosystem as a whole had a moment of reckoning in 2022 when a maintainer named Marak Squires deliberately sabotaged his own widely-used packages, colors and faker, after years of unpaid work supporting companies that shipped products on top of them. He added code that printed a political message and caused apps to crash. It was destructive. It was also, if you understand what led to it, completely legible.
The math that doesn’t add up
Here’s a useful way to think about the economics. When a company buys a software license, the price reflects some negotiated value, support costs, and ongoing development. When a company uses an open source library, they pay nothing while consuming real resources: the maintainer’s time, attention, and often emotional energy.
A 2020 study by the Linux Foundation and Harvard’s Laboratory for Innovation Science attempted to estimate what it would cost to rebuild all the open source software used in modern software stacks from scratch. Their estimate was in the hundreds of billions of dollars. That’s the value being extracted without compensation.
The companies on the receiving end of this arrangement aren’t villains. They’re rational actors. If a high-quality library is available for free, using it and not paying for it is just… using free software. The problem is a structural one: open source licenses, almost by design, don’t create any obligation to contribute back.
Some companies do contribute back. Google, Microsoft, and Meta employ engineers who work on open source projects full time. But this is not altruism. They contribute to projects that are strategically useful to them: Kubernetes, the Linux kernel, React. The long tail of smaller projects that hold the whole thing together get comparatively little.
Why it keeps working until it doesn’t
The honest answer to ‘why does anyone maintain open source software for free?’ is: a lot of them are doing it for reasons that have nothing to do with money. Pride of craft. The social reward of being known in a community. The genuine satisfaction of building something useful. These are real motivations and they shouldn’t be dismissed.
But they’re also fragile. Maintainer burnout is endemic. People have lives, jobs, families. The project that a single developer kept running for a decade can go dark in a week, and every company that depends on it suddenly has a problem.
This is more than a theoretical risk. The left-pad incident in 2016 (when a developer removed a tiny package from npm that turned out to be a dependency of half the internet) caused widespread build failures across the industry. The xz Utils backdoor in 2024 was the result of a sophisticated social engineering campaign that specifically targeted an overworked, underfunded maintainer. The attacker didn’t have to be brilliant. They just had to be patient with someone who was exhausted.
Security researchers and engineers who study open source supply chains have pointed out for years that this is a structural vulnerability, not a personnel problem. You can’t fix it by finding better maintainers. You fix it by making maintenance economically viable.
What’s actually being tried
A few approaches have gained traction, none of them fully satisfying.
GitHub Sponsors and Open Collective let individuals and companies donate to maintainers directly. The amounts involved are almost always inadequate. It’s hard to maintain a library that millions of people use on coffee-money patronage.
The Sovereign Tech Fund, a German government initiative, has taken the more radical position that open source infrastructure is a public good and should be funded like one. They’ve paid for security audits and maintenance work on foundational projects. It’s a good model and it should be copied more widely.
Tidelift is a company that aggregates open source maintainers into a support subscription that enterprises can buy. The pitch to companies is: pay for the support and security guarantees you’re already implicitly expecting. The pitch to maintainers is: get paid for the work you’re already doing. It’s a clever attempt to bridge the market gap, and it’s working to some degree.
The Open Source Security Foundation, which grew out of the Log4Shell response, is trying to coordinate industry funding for security-critical projects. Progress is real but slow.
The cleanest version of the argument is this: if your company’s infrastructure depends on a piece of software, and that software is maintained by volunteers, you have accepted a liability you probably haven’t priced correctly. The economics of free software only look favorable until they don’t.
The trillion-dollar industry built on top of open source is not going to collapse tomorrow. But it has a labor problem that it’s mostly chosen to ignore, and the people paying the price for that choice are the ones writing the code.
