The software stack running your bank, your hospital, your favorite AI product, and most of the internet was largely written by people who weren’t paid to write it. Linux runs the majority of the world’s servers. Apache and Nginx serve most of the web. OpenSSL encrypts a staggering share of internet traffic. PostgreSQL stores data for companies worth hundreds of billions of dollars. The people who built and maintain these projects are, in many cases, hobbyists, academics, and volunteers working evenings and weekends.
This is not a feel-good story about community. It’s a structural problem that the industry has chosen, collectively and deliberately, to ignore.
The Extraction Economy Nobody Talks About
The open source model runs on a straightforward premise: code is a public good, and making it freely available accelerates innovation for everyone. That premise is correct. The problem is that “freely available” has been systematically misread as “free to exploit indefinitely without reciprocity.”
The companies profiting most from open source are also the least likely to contribute back. Cloud providers in particular have built multi-billion-dollar businesses on open source projects they didn’t create. Amazon Web Services offers managed versions of Elasticsearch, Redis, MongoDB, and dozens of other tools. The original maintainers get nothing except the occasional bug report. AWS does not hide this arrangement. It’s the business model.
When the Log4Shell vulnerability was discovered in late 2021, the Log4j library sat at the center of a global security crisis affecting hundreds of millions of devices. Log4j was maintained by a handful of volunteers. The Apache Software Foundation, which oversees the project, operates largely on donations. The organizations scrambling to patch their systems had contributed essentially nothing to the project whose failure suddenly cost them millions in emergency remediation.
Why Maintainers Burn Out and Quit
The math of open source maintenance is punishing in ways that only become visible when something breaks. A maintainer publishes a library. It gets incorporated into a popular framework. That framework gets used by a thousand applications. The maintainer now fields bug reports, security disclosures, feature requests, and hostile issues from users who treat free software like a product with a service level agreement. None of those users are paying. Many are representatives of companies that could afford to.
The psychological toll compounds the financial one. The story of individual maintainers holding critical infrastructure together is not an edge case. It’s the default condition of the open source ecosystem. When maintainers finally quit, as they regularly do, the project either dies, forks into competing versions, or gets handed off to someone equally unpaid who hasn’t yet reached their limit.
Fabian Gruber’s 2021 research into npm (the package registry for JavaScript) found that a tiny number of maintainers are responsible for an outsized share of widely-used packages. The dependency chains in modern software mean that a single burned-out developer in Germany or Brazil might be the single point of failure for software running in hospitals across three continents. The problem of unmaintained software in critical infrastructure deserves more attention than it gets in the budgeting meetings of companies that depend on it.
The Models That Actually Work, Sort Of
The industry has produced a few responses to this problem, none of them fully satisfying.
The foundation model pools contributions from corporations and channels them toward project maintenance. The Linux Foundation, Apache Software Foundation, and OpenSSF (Open Source Security Foundation) operate this way. It works reasonably well for flagship projects with enterprise visibility. It does little for the long tail of critical dependencies that nobody has heard of until they fail.
The open core model lets companies build commercial products on top of open source foundations. HashiCorp, Elastic, and MongoDB have all pursued versions of this. The tension is inherent: the commercial layer has to be valuable enough to justify paying for, which means the free tier has to be limited enough to push users toward payment. When companies get this wrong, they typically overcorrect by restricting the open source version so aggressively that the community fragments. HashiCorp’s decision to change Terraform’s license in 2023 triggered exactly this outcome, producing OpenTofu as a community fork.
Direct sponsorship through platforms like GitHub Sponsors and Open Collective represents the most honest version of the model: people and organizations who benefit from a project pay the maintainer directly. The amounts are rarely commensurate with the value delivered. A maintainer whose library gets downloaded fifty million times per month might collect a few thousand dollars in monthly sponsorships. The gap between value created and value captured is enormous.
The Pricing Problem Is Also a Perception Problem
Part of the difficulty is that open source software has a pricing problem that’s actually a perception problem. Software that’s always been free is psychologically difficult to start charging for. Users who’ve never paid experience any payment request as a betrayal, even when the project is genuinely indispensable and the maintainer is genuinely struggling. The zero-dollar anchor is almost impossible to move. As any founder who’s tried to set a first price knows, anchoring matters enormously, and open source anchors at zero by default.
The companies most positioned to fix this are the hyperscalers and large enterprises that have the most to lose from ecosystem collapse. A few of them have started to act. Google contributes meaningfully to projects like Chromium and V8. Microsoft’s acquisition of GitHub shifted the company from open source antagonist to significant contributor. These are real changes. They don’t come close to matching the scale of extraction that the industry conducts every day.
The Infrastructure Tax Nobody Wants to Pay
Think of open source software as infrastructure. Roads, bridges, and electrical grids are also built by relatively small groups of people and used by vastly larger populations who mostly pay nothing at the point of use. The difference is that governments tax economic activity and direct some of that revenue toward maintaining shared infrastructure. Open source has no equivalent mechanism.
The EU’s Cyber Resilience Act, which began taking shape in 2022, is one of the first serious attempts by any regulatory body to grapple with what happens when commercial products built on open source code have security failures. Its initial drafts alarmed the open source community by potentially placing liability on maintainers. The final direction moved toward requiring companies that commercialize open source software to take more responsibility for security. Whether this produces meaningful funding for maintainers or just additional compliance theater remains to be seen.
The most honest thing the industry could do is treat open source dependency as an operating cost and budget accordingly. Some companies do. Most don’t. Until the incentives change, the world’s most critical software will keep running on the goodwill of people who have every reason to stop.
