Open-Source Software Is in Crisis

A new saga is unfolding in the open-source realm. Matt Mullenweg, founder of open-source web content management system WordPress, which powers about 40 percent of the world’s websites, has accused WP Engine, a hosting provider for WordPress-built websites, of violating WordPress trademarks. They’re currently embroiled in a legal battle.

As Mullenweg wrote in a post on his personal website, “We offered WP Engine the option of how to pay their fair share: either pay a direct licensing fee, or make in-kind contributions to the open source project. This isn’t a money grab: it’s an expectation that any business making hundreds of millions of dollars off of an open source project ought to give back, and if they don’t, then they can’t use its trademarks.”

Mullenweg also criticized WP Engine for not contributing enough hours to the open-source project despite profiting hugely from it. WP Engine hit back and filed a lawsuit against Mullenweg and Automattic, the company behind WordPress.

“That’s the blessing and the curse of open source. Everybody gets to use it, but it puts us precisely in this position of not being able to support that directly through the market.” —Chad Whitacre, Sentry

At the center of this debacle is what Dries Buytaert, founder of open-source content management system Drupal, calls the “maker-taker problem.” In a blog post, he writes that “creators of open source software (‘makers’) see their work being used by others, often service providers, who profit from it without contributing back in a meaningful or fair way (‘takers’).”

For Chad Whitacre, head of open-source at application monitoring software company Sentry, “the point of the open-source licenses we have is this permissionless sharing—that’s the blessing and the curse of open source. Everybody gets to use it, but it puts us precisely in this position of not being able to support that directly through the market.”

Open-source developer discontent is on the rise

The clash between WordPress and WPEngine is also shining a spotlight on the transforming role of open-source technologies. What began as small, fledgling projects by enthusiastic and collaborative-minded software developers has grown into essential components of huge computer and internet infrastructure. In fact, the Linux Foundation estimates that about 70 to 90 percent of today’s apps are made up of open-source software.

This increased reliance on open source is putting pressure on project maintainers, especially when it comes to providing prompt software updates and critical security fixes. In late 2021, a vulnerability in the widely used Log4j tool was one of the highest-profile security incidents in the open-source world. Earlier this year, a backdoor hack on a Linux compression tool was uncovered—a result of an attacker posing as a contributor to gain the maintainer’s trust over two years, allowing the attacker to insert dangerous code into the tool. Both security flaws were in small open-source projects, maintained by small teams, or even solitary, volunteers, underlying massive enterprises.

Compounding this challenge is the rising burnout maintainers experience, presenting an impending recipe for disaster. According to a 2024 survey by Tidelift, a company that partners with and pays open-source maintainers to implement secure software development practices, the top three things that respondents dislike about being maintainers include not being financially compensated enough or at all for their work, feeling underappreciated or “like the work is thankless,” and adding to their personal stress. It comes as no surprise then that more than half of maintainers have quit or have considered quitting.

How to fix the open-source crisis

So how can companies benefitting from open-source projects better support the community? Whitacre suggests “three levers to pull to solve the open-source sustainability crisis and quit burning out maintainers.” These three levers revolve around commercialization, taxation, and social validation.

Commercialization is the traditional route, which involves finding business models to subsidize open-source projects. “You’re not directly paying for open-source software, but you’re paying for something else that is supporting or subsidizing the open-source work,” Whitacre says. He cites a classic example of making the software itself free and open-source but charging for support and services. “The key to the commercialization lever is you need something scarce to have a business. Open-source is post-scarcity by definition [and] by intention, so you have to find something else scarce.”

Taxation is another way to economically sustain open-source technologies. In Germany, for instance, the Federal Ministry for Economic Affairs and Climate Action is financing the Sovereign Tech Fund, a program of the Sovereign Tech Agency investing in “projects that benefit and strengthen the open source ecosystem.” Currently funded projects include FreeBSD, a Unix-like operating system; JUnit, a testing framework for the Java ecosystem; the PHP Foundation, which is behind the PHP programming language; and the OpenJS Foundation, which hosts a range of JavaScript projects.

Similar programs under the Sovereign Tech Agency’s purview encompass a fellowship that pays open-source maintainers and services to boost open-source software resilience, such as code security audits, helping with known security issues, and a bug bounty and fix platform. As the Sovereign Tech Agency notes: “The open source ecosystem, while incredibly successful, is also increasingly fragile. Many more people are using the software than contributing to it. It is time to invest in digital commons, volunteer communities and the open source ecosystem to build the digital world we want to see.”

The final piece of the puzzle, according to Whitacre, is social validation. Drupal follows this approach through a credit system that recognizes and incentivizes contributors for their efforts. Individuals and organizations who contribute to Drupal—be it through code, documentation, submitting case studies that demonstrate success with the software, or financial support—earn credits for visibility and advertising on Drupal’s website, as well as early access, discounts, and sponsorships to events, among other benefits.

Companies can pledge to help out

Whitacre himself is pulling the social validation lever as a leader of the Open Source Pledge, a group working to directly pay maintainers. By joining the Pledge, companies pay an annual minimum of US $2,000 for each full-time developer on staff to open-source maintainers of their choosing. “That means if a company has 50 developers they employ, then they’re paying at least $100,000 per year to the maintainers of the open-source software they depend on,” explains Whitacre.

Members of the Open Source Pledge are also required to publish a blog post detailing their payments to maintainers. “We need companies to be out there on their own blog, in their own voice, expressing their support for the Pledge and their participation in the Pledge to encourage other companies to do likewise,” Whitacre says. “It’s for accountability and awareness.”

Having started just over a month ago, the Open Source Pledge has only two dozen or so members to date, mostly “smaller, developer-focused startups highly aligned with open source to begin with,” says Whitacre. The aim is to expand to larger enterprises, which might take some time.

Looking to the future of open-source software, Whitacre hopes to see more approaches like what Drupal is doing, as well as a boost from both government bodies and the tech sector to steward open-source projects.

“With the Pledge, we’re trying to get the money flowing right, but that’s only half the equation,” says Whitacre. “It’s a very important half, and it’s the part we need to start with and focus on right now. The other side of that is how do we make sure that money actually has the impact we want. We need to unlock this same kind of commitment from the whole industry, broaden it, and get other companies to join us.”

This article appears in the January 2025 print issue as “Open Source Has a “Maker-Taker” Problem.”