The Paradox at the Heart of Open Source
Some of the most critical software in the world — the libraries and tools that underpin banks, hospitals, governments, and tech giants — is maintained by small groups of volunteers, often in their spare time, often without compensation. When a vulnerability is found in one of these projects (as happened with Log4Shell and the XZ Utils backdoor attempt), the fragility of this model becomes impossible to ignore.
This isn't a new observation, but it remains an unsolved problem. How do open source projects sustain themselves?
The Most Common Funding Models
1. Donations and Crowdfunding
Platforms like GitHub Sponsors, Open Collective, and Patreon allow individuals and organizations to fund maintainers directly. This model works best for projects with large, engaged communities — but for the thousands of foundational libraries that developers rarely think about, donation income is typically minimal.
2. Open Core
The open core model makes the core project open source while offering a paid, proprietary tier with enterprise features (SSO, audit logs, advanced support). Companies like GitLab, HashiCorp (before its license change), and Grafana Labs have used this model. Critics argue it creates pressure to deliberately weaken the open source tier to drive upgrades.
3. Dual Licensing
Projects like MySQL and Qt offer the software under a copyleft license (GPL) for free, while selling a commercial license to businesses that don't want copyleft obligations. This works well for libraries used inside proprietary products.
4. Foundation Backing
Large foundations — the Linux Foundation, Apache Software Foundation, CNCF, and OpenSSF — provide organizational infrastructure, legal support, and sometimes direct funding to critical projects. Membership fees from large tech companies fund these foundations. The Apache model in particular has proven durable across decades.
5. Corporate Sponsorship and Stewardship
Some open source projects are primarily maintained by employees of large companies as part of their job. Google maintains Go and Angular, Meta maintains React, and Microsoft maintains VS Code and TypeScript. While this provides resources, it raises governance questions about whether the project's direction serves the community or the sponsor.
6. Service and Support Contracts
Companies like Red Hat (now IBM) built multi-billion dollar businesses by selling support, certification, and services around open source software rather than the software itself. This model is less accessible for individual maintainers but scales well at the enterprise level.
What the Data Suggests
Research from the Linux Foundation and Harvard's Laboratory for Innovation Science has found that a small number of contributors do the majority of work in even large projects. A 2020 report on open source security found that many critical packages in popular package registries have only one or two active maintainers. The concentration of maintenance responsibility in a few unpaid individuals creates systemic risk.
Emerging Approaches
Several newer initiatives are worth watching:
- Sovereign Tech Fund (Germany) — a government-backed fund investing in open source digital infrastructure
- FOSS Funders — a collective of companies coordinating funding for critical dependencies
- deps.dev and Ecosyste.ms — tooling to identify critical but underfunded packages
- OpenSSF's SLSA framework — improving supply chain security, which reduces the cost of maintaining secure packages
The Path Forward
There is no single solution to open source sustainability. The most resilient projects tend to combine multiple funding streams, establish clear governance, and build communities where contributions are genuinely shared. For companies that depend heavily on open source — which is most companies — direct financial support of upstream dependencies is increasingly recognized not just as altruistic, but as sound risk management.
The question is no longer whether open source needs sustainable funding models. It's how quickly the ecosystem can build and normalize them.