Why Open‑Source Projects Like Log4j2 Struggle to Stay Sustainable—and How to Fix It

Apache Log4j2, a Java logging library, recently suffered a critical JNDI injection vulnerability that allowed remote code execution, prompting the release of version 2.16.0 which disables JNDI by default.

One of Log4j2's maintainers, Volkan Yazıcı, lamented on Twitter that the core team consists of a few unpaid volunteers who receive no salary and face harsh criticism when issues arise.

This situation illustrates a broader "open‑source sustainability problem": projects either attract little interest and fade, or become widely used without any financial support or code contributions from the companies that profit from them.

Companies that rely on free open‑source components often treat the maintainers as unpaid labor, maximizing profit while offering no compensation, as highlighted by a recent complaint from the curl author about Apple.

“Imagine a trillion‑dollar company using open‑source components to generate billions in profit, yet when a user seeks help, the company pushes them to the volunteer‑run project that has never received a dime from the company.”

Google cryptographer and Go security lead Filippo Valsorda called for professional communication between open‑source maintainers and the companies that use their software, advocating paid support to ensure sustainability.

Valsorda notes that most maintainers are either volunteers or full‑time employees of large firms, both models being unhealthy; they could earn high salaries as senior engineers, yet rely on unstable funding sources like GitHub Sponsors or Patreon.

Full‑time open‑source employees in big companies also face corporate KPI pressures that erode enthusiasm for maintaining projects.

Valsorda proposes that companies needing secure, high‑quality open‑source components should contract developers at market‑rate salaries, guaranteeing quality and timely vulnerability fixes while allowing maintainers to focus on long‑term health.

This shift requires changing corporate attitudes; many enterprises prefer to exploit permissive licenses such as Apache or MIT to avoid paying, effectively “free‑riding” on community labor.

Numerous Fortune‑500 firms rely on critical open‑source projects maintained by volunteers after hours, often without proper security reviews, underscoring the urgent need to professionalize open‑source maintenance as a well‑paid career.

Side note: Log4j2’s creator Ralph Goers has only three sponsors on GitHub.

“I am an Apache Software Foundation member and have created the initial version of Apache Log4j 2. I dream of working full‑time on open‑source; your support could make that possible.”