Is Open Source Free Riding Bad?

Dec 12, 2021

Nearly every company uses open source. Many of these open source projects are maintained by volunteer (unpaid) programmers. Should these companies pay the developers?

This debate was reignited last week. On Friday, there was a remote execution vulnerability was found in a log4j, a popular open source Java logging library. This vulnerability has widespread consequences – most likely millions of companies are open to attack, including many of the Fortune 500.

The vulnerability was (relatively slow) to patch, requiring lots of code and two different releases (the first had another vulnerability). Patching isn't straightforward either (although some folks are working on using the exploit to run code that patches the exploit!).

So is open source "broken"? Should the developers get paid for their work? Would that have prevented this vulnerability and the thousands of engineers spending the weekend patching their software?

So far, I haven't heard of any good solutions to this free rider problem. Asking companies to act altruistically and donate to projects doesn't work.

Economists sometimes solve free rider problems with a Coasian funding. A Coasian solution is one where the beneficiaries pool their resources beforehand to fund the project. I don't think I've seen this in open source before, the majority of contributions and funding come after-the-fact. I'm not sure how you'd coordinate the numerous possible beneficiaries of a logging library.

Maybe it's not a problem at all. Perhaps the market clearing price of a Java logging library is sufficiently low enough to be near free. If log4j were to charge for an enterprise license, I'm sure free competitors would take its place. It's not a particularly complex problem to solve, but maintenance and upkeep take effort. Developers aren't being forced to work on these projects. There's additional value that accrues to them – consulting and job opportunities, and a general enjoyment of others using your software. And it doesn't cost them if 1 or 1000 companies are using their software (in fact, usually the more, the better). Although I'll admit, it seems like an uneven value exchange.