A practical framework for supporting the open source your organization depends on.
Open source software is free to use. It is not free to maintain. And the gap between those two facts is becoming everyone's problem.
96% of commercial software depends on open source. The value it creates is estimated at $8.8 trillion globally. But a third of the developers maintaining it are completely unpaid. Many are the sole person responsible for their project, securing the software behind banks, hospitals, and government systems in their spare time.
In 2024, an attacker exploited exactly this weakness. They spent two years earning the trust of a single developer who maintained a tool used across millions of servers. Then they planted a backdoor. It was caught by accident, weeks before reaching global distribution. Nobody was auditing the project. Nobody was funding it. One exhausted person was the only barrier between that code and your systems.
And the pressure is not easing. The number of organizations depending on open source keeps growing while the support structures around it remain almost nonexistent.
Open source does not fail because the technology breaks. It fails because the people maintaining it stop showing up. And right now, the reasons to keep showing up are disappearing faster than new ones are being created.
But it does not have to work this way.
I have been watching this space closely. The organizations that moved first are not doing it out of generosity. They are doing it because they ran the numbers.
Germany invested over €24 million through its Sovereign Tech Fund to maintain the open source projects its economy depends on. Bloomberg and Spotify run internal funds where their engineers decide which projects receive support. The Open Source Pledge asks companies to commit $2,000 per developer per year, paid directly to the people doing the work. And starting this September, EU regulations will require companies to document every open source component they ship and report vulnerabilities within 24 hours.
I put together a playbook covering six areas where organizations extract value from open source today. Each one covers what to do, what to avoid, and who is already doing it right.
Whether you run a startup, a corporation, or a government agency, your entry point is in there.
The full framework is attached below.
Fund what you use. Fix what you break. Share what you build with public money. Verify what you submit.
None of this is radical. That is the point.
