Open source is public infrastructure, but we fund it like a hobby

Open-source software forms the foundation of the modern software supply chain, yet critical components remain dangerously underfunded and fragile. Governments should treat it like critical public infrastructure.

Open-source software quietly runs our digital world. Web servers, clouds, package managers, encryption libraries much of it is kept alive by a handful of volunteers or fragile business models. When those individuals burn out or markets shift, the consequences are real. Security holes, supply-chain chaos, and entire industries exposed.

High-impact vulns and compromises from Heartbleed (CVE-2014-0160) in OpenSSL to Log4Shell (CVE-2021-44228) RCE cascades, supply-chain attacks like the XZ Utils backdoor, and abrupt engineering layoffs in high-adoption projects such as Tailwindcss demonstrate the mounting systemic fragility in open-source maintenance and sustainability

If bridges and power grids need public money and oversight, so does the code our digital world run on.

The case in brief

Open source is infrastructure

Critical pieces like OpenSSL, curl, Linux, Git, and container tooling underpin government services and private industry alike. Projects such as curl run everywhere, in billions of devices, yet often lack stable funding.

The status quo is brittle

Underfunding causes slow patching, volunteer burnout, and global security incidents. The Heartbleed crisis showed OpenSSL was essentially a mission-critical project running on a shoestring. Emergency industry funding helped but only after damage was done.

Public funding can work

Germany's Sovereign Tech Fund demonstrates that targeted public investment in open software is practical and scalable. It proves governments can fund digital public goods without owning or controlling them.

AI could accelerate the crisis

Models ingest docs and code at massive scale, reducing revenues from documentation, consulting, and paid plugins while increasing noisy, low-quality support requests that drain maintainer's time. Tailwind's recent layoffs illustrate how quickly commercial models can collapse, even for widely used projects, when incentives shift.

Why corporate funding alone isn't enough

Big tech does fund crucial projects and often saves the day in crises. But corporate funding aligns to corporate priorities. Companies pay for features they need, not the boring maintenance, audits, and long-tail security work that keep ecosystems safe.

When priorities shift, support can vanish overnight. That's rational for a business, but fragile for infrastructure.

Germany's Sovereign Tech Fund proves this isn't theoretical: since 2022 it has funded maintenance and security for 60+ critical projects without taking control. Similar models already exist across Europe and the U.S. The problem isn't whether governments can fund open source, it's that they don't yet fund it at infrastructure scale.

A pragmatic metrics-driven funding model

Adopt a tiered, quantifiable, and minimally invasive allocation framework to prioritize systemic resilience.

Tier 1: Foundational projects (full-time support)
High-dependency components like OpenSSL-class libraries, core package managers, critical kernel subsystems. Fund maintainer salaries, audits, and dependable patch pipelines.

Tier 2: High-impact tools (project grants)
Widely used tooling that needs targeted investments in security, documentation, or onboarding.

Tier 3: Seed and innovation
Micro-grants, sponsored hackathons, and compute/infra credits for nascent projects with high potential impact, fostering innovation in areas.

Projects should be scored using public metrics: dependency graphs, CVE impact, download statistics, public-sector deployment, and community health (contributors, response times). This ensures transparent, auditable, and data-backed disbursement decisions.

Safeguards so funding doesn't crush freedom

  • Funding is optional. Maintainers apply; they aren't forced.
  • Core grants include lightweight SLAs (patch windows, disclosure practices), explicitly excluding any influence over code direction, feature prioritization, or architectural decisions.
  • Mixed funding (government, philanthropy, industry) prevents single-source capture.
  • Independent oversight with developer-majority seats ensures the developer voice is central.

The objective isn't to bureaucratize creativity. It's to prevent catastrophic single-maintainer failure modes.

Real returns, not charity

A dedicated full-time maintainer or proactive security audits can avert cascading supply-chain compromises. The Heartbleed episode and the subsequent Core Infrastructure Initiative showed emergency pooling works but it isn't sustainable.

Steady, pragmatic investment buys reliability, faster remediation, and national security, without imposing bureaucratic oversight or proprietary lock-in.

Final thought

We don't rely on unpaid enthusiasts to upkeep highways or grids. We shouldn't expect volunteers alone to safeguard the digital highways either.

Open source is public digital infrastructure now. Fund it like one: pragmatic tiers, transparent governance, and respect for developers.

The alternative isn't the status quo, it's waiting for the next crisis and and lost productivity paying far more to recover.