The simple version
Most of the software that powers the internet was built for free by volunteers and is still maintained, mostly for free, by a small number of those same people. The companies that depend on it rarely pay for it.
What open source actually is
If you’ve used the internet today, you’ve already relied on open source software. The web server that delivered this page, the encryption that secured it, the programming languages behind the app you opened this morning, the database storing your data, the tools the developers used to build all of it. Almost all of that is open source: code that anyone can read, use, modify, and distribute, usually at no cost.
This is not a niche corner of the software world. Open source is the foundation. The Linux kernel runs the majority of web servers globally, including the machines behind most major cloud platforms. The OpenSSL library handles encrypted connections across an enormous share of the internet. Languages like Python, tools like Git, databases like PostgreSQL, infrastructure tools like Kubernetes, all open source, all load-bearing.
The companies built on top of this infrastructure are, in many cases, worth billions. The infrastructure itself is often maintained by people doing it on evenings and weekends.
How we got here
Open source started as a philosophical movement before it became an economic one. The idea was that software should be free to share and improve, that hoarding code was wasteful, that collective maintenance would produce better outcomes than proprietary silos. Those ideas weren’t wrong. The outcomes were often genuinely better.
What nobody fully anticipated was the scale at which this free infrastructure would be captured by commercial interests without proportionate contribution back.
The dynamic works like this: a developer or small group of developers builds a library that solves a real problem. They release it freely. Other developers start using it. Companies start building products on top of it. The library becomes critical infrastructure. The original maintainer keeps receiving bug reports, feature requests, and security disclosures, now at enterprise scale, still on their own time.
The maintainer doesn’t get a cut of the value their work creates. They get a GitHub notifications inbox.
Why companies don’t pay
This is not primarily a story about evil corporations. It’s a story about incentive structures.
When a company’s engineering team adds an open source library as a dependency, no one in that process is asked to evaluate whether the project is sustainably maintained or whether they should be contributing resources. The library is free, it works, and the decision moves on. The cost of “free” is invisible until it isn’t.
The people who would pay, if anyone would, are rarely the people who feel the dependency. A CTO might not know which specific open source components their product relies on three layers deep in the stack. A procurement team only processes invoices. A developer who cares might raise it internally and get told it’s not their problem.
There have been genuine attempts to fix this. GitHub Sponsors lets users and companies send money directly to maintainers. Open Collective provides financial infrastructure for open source projects. Tidelift built a business around getting companies to pay a subscription in exchange for maintenance guarantees across their open source dependencies. These efforts exist and some maintainers have benefited. But they remain small relative to the scale of the problem.
What the failure mode looks like
In 2021, a critical vulnerability called Log4Shell was discovered in Log4j, a Java logging library. The severity was about as bad as it gets: remote code execution, meaning an attacker could run arbitrary code on any server running the vulnerable version. The library was embedded in products across virtually every major tech company, countless government systems, and infrastructure worldwide.
The Log4j project was maintained by a small volunteer team as part of the Apache Software Foundation. They had to drop everything to respond to what became a global security emergency. The library they’d built and maintained for free, the one that turned out to be running inside products generating billions in revenue, was their responsibility to fix, on their time, under enormous pressure.
Log4Shell was not a freak event. It was a preview. The more concentrated our dependencies become on unmaintained or under-maintained open source components, the more exposure we accumulate to exactly this kind of cascading failure. The relationship between licensing and sustainability has been getting harder to ignore.
What would actually help
The honest answer is that small donations and thank-you messages are not the solution. The problem is structural and needs structural responses.
Some companies have gotten serious about this. Google, Microsoft, and others have employed core contributors to major open source projects, recognizing that paying someone to maintain a critical dependency is cheaper than dealing with the consequences of that dependency failing. The Linux Foundation has formalized funding mechanisms that bring enterprise money into maintaining shared infrastructure. These models work when companies treat open source maintenance as an operating cost rather than a favor.
The other lever is procurement policy. Large organizations, particularly governments, are starting to ask where their software actually comes from and whether those supply chains are stable. Requiring vendors to demonstrate they’re contributing back to the open source components they depend on is a policy choice, not a technical one.
The free rider problem is real, but it’s not inevitable. Roads are also infrastructure that everyone uses and doesn’t pay for at the point of use. We fund them collectively because we’ve decided the alternative is worse. We haven’t made that decision about software yet, and the bill is starting to come due.
The people maintaining the code your company runs on aren’t asking for gratitude. They’re asking, reasonably, not to subsidize trillion-dollar businesses with their free time.
