We all owe a debt to open source. From Linux to Kubernetes to countless NPM packages, open source has powered modern software. It’s hard to imagine shipping a production app without dozens — or even thousands — of open source dependencies.

But there’s a problem no one likes to talk about: the human cost of “free” software. Many open source maintainers are burned out, underpaid, and overwhelmed. And the entire ecosystem is now paying the price.

The Reality of Open Source Burnout

A 2022 Tidelift survey showed that 46% of open source maintainers have considered quitting due to stress, lack of support, or unreasonable demands source: Tidelift Maintainer Survey 2022.

Why? Because open source maintainers juggle:

• endless security CVEs

• feature requests

• bug reports

• code reviews

• breaking changes

• angry users who treat free maintainers like an enterprise support desk

But with no pay, no team, and often no thanks.

A Real-World Case: Log4j

In December 2021, the Log4Shell (CVE-2021-44228) vulnerability in Log4j nearly broke the internet. Millions of Java apps depended on a tiny group of maintainers to fix it.

That project had a shoestring budget and a small, volunteer team. Yet they were suddenly at the center of global cybersecurity efforts.

As Brian Fox from Sonatype put it:

“The biggest problem is that critical open source projects have the same funding as your average bake sale.”
(source: Sonatype blog, 2021)

The world demanded an immediate patch, but those maintainers were already working for free, under stress, and burning out.

The Pattern: Dependency Overload

Modern apps routinely pull in hundreds of transitive dependencies. According to Synopsys’s 2023 Open Source Security and Risk Analysis, 84% of commercial codebases contain more than half open source code source: Synopsys OSSRA 2023.

That means your security, feature velocity, and stability depend on people you’ve probably never met — who are often unpaid and exhausted.

The Security Angle

Burned-out maintainers can’t keep up with security reports. In 2023, GitHub reported over 4,000 critical vulnerabilities disclosed in public open source projects, many of which went unpatched for months because the maintainers had no time or resources source: GitHub State of OSS Security 2023.

If you think “free” is safe, remember: a project with no funding and a tired maintainer is a single point of failure in your supply chain.

Practical Steps for Contributors and Teams

If you’re an open source contributor, you should protect yourself:

✅ Set explicit project boundaries — you are not an on-call employee for free
✅ Automate repetitive triage with bots (like Probot)
✅ Define a security policy (using GitHub’s security policy standard)
✅ Use funding badges (OpenCollective, GitHub Sponsors) to transparently ask for support
✅ Take breaks without guilt

If you are consuming open source in production, do your part:

✅ Contribute fixes and PRs instead of only filing issues
✅ Sponsor projects you depend on
✅ Fund security audits for your dependencies
✅ Pin dependencies and review your Software Bill of Materials (SBOM)
✅ Respect maintainers’ time and treat them like partners, not vendors

The Maturity Gap

Open source has come a long way, but the support structures haven’t kept up. The world wants professional-grade results — while funding hobby-grade infrastructure.

That mismatch is why contributors burn out, issues pile up, and security holes linger for months.

Open source isn’t truly “free.” It’s a collaboration. If we treat it like a one-sided free-for-all, we will continue to see vital maintainers leave, creating fragile supply chains and preventable breaches.

Final Thoughts

Open source has given us immeasurable value — but it is held together by humans, not magic.

If we keep pretending open source is free forever, we will pay the price in security incidents, broken projects, and burned-out maintainers.

Free software costs something. It costs us — as an industry — to support, sponsor, and respect the humans behind the code.