To support MIT Technology Review’s journalism, please consider becoming a subscriber.
For something so important, you might expect that the world’s biggest tech firms and governments would have contracted hundreds of highly paid experts to quickly patch the flaw.
The truth is different: Log4J, which has long been a critical piece of core internet infrastructure, was founded as a volunteer project and is still run largely for free, even though many million- and billion-dollar companies rely on it and profit from it every single day. Yazici and his team are trying to fix it for next to nothing.
This strange situation is routine in the world of open-source software, programs that allow anyone to inspect, modify, and use their code. It’s a decades-old idea that has become critical to the functioning of the internet. When it goes right, open-source is a collaborative triumph. When it goes wrong, it’s a far-reaching danger.
“Open-source runs the internet and, by extension, the economy,” says Filippo Valsorda, a developer who works on open-source projects at Google. And yet, he explains, “it is extremely common even for core infrastructure projects to have a small team of maintainers, or even a single maintainer that is not paid to work on that project.”
“The team is working around the clock,” Yazici told me by email when I first reached out to him. “And my 6 a.m. to 4 a.m. (no, there is no typo in time) shift has just ended.”
In the middle of his long days, Yazici took time to point a finger at critics, tweeting that “Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren’t paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.”
Before the Log4J vulnerability made this obscure but ubiquitous software into headline news, project lead Ralph Goers had a grand total of three minor sponsors backing his work. Goers, who works on Log4J on top of a full-time job, is in charge of fixing the flawed code and extinguishing the fire that’s causing millions of dollars in damage. It’s an enormous workload for a spare-time pursuit.
The underfunding of open-source software is “a systemic risk to the United States, to critical infrastructure, to banking, to finance,” says Chris Wysopal, chief technology officer at the security firm Veracode. “The open-source ecosystem is up there in importance to critical infrastructure with Linux, Windows, and the fundamental internet protocols. These are the top systemic risks to the internet.”