The Hidden Economics of Open Source: Who's Actually Paying for Free Software?

The average web application relies on hundreds of open source packages. Many of these packages are maintained by one or two people in their spare time, for free, with no formal support structure. The companies using these packages have combined market caps in the trillions. The maintainers are often getting nothing in return except issues and occasional thank-you messages.

This is the open source sustainability problem, and it's more fragile than most developers think about.

The Event That Made This Visible

Most developers became aware of this problem when the log4j vulnerability was discovered in late 2021. Log4j, a Java logging library used in essentially every significant Java application on earth, was maintained by a small team of volunteers. The disclosure created a global security emergency requiring immediate patching across millions of systems, and the response fell largely on those same volunteers who had no resources, no formal support, and no compensation for the crisis they were suddenly at the center of.

Similar situations have played out with OpenSSL (the security library under HTTPS), Babel (the JavaScript compiler that most web applications use), and dozens of other critical infrastructure projects.

How Open Source Actually Gets Funded

Corporate contributions: The Linux kernel is the most-funded open source project in the world and is maintained primarily by engineers at Google, Intel, Red Hat, and other corporations who are paid to work on it. This model works when the corporation's business depends on the software. Most projects don't have this.

Foundations: The Apache Foundation, Linux Foundation, and others provide infrastructure and organisational support to projects under their umbrella. They don't typically pay developer salaries but they reduce overhead and provide legal structure.

Open Core: The commercial model where the open source version is free and a paid enterprise version funds development. HashiCorp, Elastic, and MongoDB used versions of this model. It works until the company needs revenue growth that the model can't provide — at which point we sometimes see licence changes that the community experiences as betrayal.

Sponsorships: GitHub Sponsors and Open Collective let individuals and companies sponsor maintainers directly. Adoption is growing but most successful open source projects with millions of downloads generate sponsorships measured in hundreds of dollars per month, not thousands.

What This Means for Developers and Companies

If your company's application depends on open source software — and it does — consider whether you're contributing anything back. That might mean: reporting issues clearly with reproduction cases, submitting pull requests for bugs you find, using GitHub Sponsors to financially support the maintainers of projects you depend on, or contributing engineering time to projects that are critical to your stack.

The "free" in free software refers to freedom, not price. The infrastructure of the internet is built on volunteer labour, and that's not as stable as we tend to assume.