Why Open‑Source Maintainers Struggle: Funding, Sustainability, and the Log4j2 Crisis

Apache Log4j2, a Java logging library, recently suffered a critical JNDI injection vulnerability that allowed remote code execution; the project responded quickly by releasing version 2.16.0 with JNDI disabled by default.

One of Log4j2's maintainers, Volkan Yazıcı, posted on Twitter that the small team works unpaid and voluntarily, receiving no salary and often being berated in the repository when issues arise.

Maintainers lose sleep dealing with patches, documentation, CVEs, and community queries, yet they are constantly criticized for a feature (JNDI) kept for backward compatibility.

This situation reflects a broader “open‑source sustainability problem”: projects either fade due to lack of ecosystem support, or become popular and widely used without any financial backing or code contributions from the companies that profit from them.

Companies that rely on free open‑source components to minimize costs and maximize profits often shift blame to maintainers when issues arise, as illustrated by recent complaints from the curl author about Apple’s treatment of open‑source contributors.

Imagine a trillion‑dollar company that embeds numerous open‑source components in its products, earns billions in profit, yet directs users seeking help back to the volunteer‑maintained projects that never received any sponsorship.

Google cryptographer and Go security lead Filippo Valsorda urged open‑source maintainers to engage professionally with corporate users and obtain paid support to make open‑source development sustainable.

He notes that most maintainers are either volunteers or full‑time employees of large firms—both models are unhealthy. Skilled maintainers could earn $150k–$300k+ annually as senior engineers, but currently rely on unstable income from GitHub Sponsors or Patreon.

Full‑time corporate open‑source staff face KPI pressure and corporate control, which erodes enthusiasm for maintaining projects, a pattern repeated across many companies and ecosystems.

Valsorda proposes that companies needing secure, high‑quality open‑source supply chains should contract and pay maintainers at market rates, ensuring quality and timely vulnerability fixes while allowing maintainers to focus on long‑term project health.

However, many listed‑company enterprises lack enthusiasm to pay for core open‑source components, preferring permissive licenses like Apache or MIT that enable free riding.

Numerous Fortune‑500 firms rely on critical open‑source projects maintained by volunteers in their spare time, often without even reviewing the code for security, highlighting the unsustainable nature of the current open‑source culture.

Log4j2 developer Ralph Goers has only three sponsors on GitHub.

I am a member of the Apache Software Foundation and a PMC for several Apache projects. I created the initial version of Apache Log4j 2 and spend most of my time supporting and improving it so that it becomes the best logging framework for Java developers. I work on Log4j and other open‑source projects in my spare time and dream of doing it full‑time with your support.

Author: 罗奇奇 | Published by OSC Open Source Community (ID: oschina2013)