Open source started as an idealistic movement. Share the code, improve the world, right?

And it worked. Like, absurdly well. Open source now powers basically everything — your phone, your bank, your car, the servers running every social media platform. But the people who built and maintain this stuff? They got the short end of every possible stick.

• 60% of open source maintainers are completely unpaid (2024 Tidelift report)
• Of the ones who DO get paid, only 26% earn more than $1,000/year for their work
• 60% have quit or considered quitting due to burnout

That’s not a funding model. That’s exploitation with extra steps.

That last one is wild. 91% of the open source code running inside commercial products showed no signs of active maintenance in the past two years. We’re all standing on abandoned buildings and pretending the floors are solid.

Daniel Stenberg — the creator and maintainer of cURL, which is installed on literally billions of devices — had to shut down cURL’s bug bounty program.

Why? Because AI-generated submissions flooded it with garbage. Only about 5% of bug bounty submissions were genuine vulnerabilities, according to OpenSSF. The rest were AI slop — and Stenberg said dealing with them was threatening maintainers’ “survival and intact mental health.”

Think about that. The guy who maintains one of the most critical tools on the internet had to close the door on security reports because the noise was killing him. And he’s one of the lucky ones who actually gets some funding.

The core argument is pretty simple: stop treating open source funding like a charity and start treating it like a business cost.

His pitch:

• Package registries (npm, Maven, PyPI) handle trillions of downloads per year
• About 80% of that traffic comes from the biggest cloud providers
• Charge those companies for registry access — not for the code itself, which stays free
• Create a new organization that routes those payments directly to maintainers

He points to two orgs already doing something similar:

• HeroDevs — runs a $20M Open Source Sustainability Fund paying maintainers of critical end-of-life components
• Sentry — maps its entire dependency tree and literally cuts checks to the people maintaining each package (one of the only companies that actually does this)

But those are voluntary. Vaughan-Nichols wants something mandatory. Not optional charity — a cost of doing business.

Bruce Perens — the guy who literally wrote the Open Source Definition back in 1997 — has his own proposal called Post-Open licensing.

The idea:

• Individuals and small companies (under $5M revenue): Free. Same as always.
• Big companies (over $5M revenue): Pay a small percentage, ramping up to 1% of revenue
• Payments go through a non-profit that distributes to developers

He envisions a not-for-profit corporation that also provides user support, documentation, hardware-based authentication for developers, and even help with government compliance.

The catch? Some people argue the moment you restrict commercial use, it stops being “open source” and becomes “source-available.” And enterprises will treat it accordingly — avoid it, fork the last free version, or just use the MIT-licensed release forever.

It’s a real tension. But doing nothing isn’t working either.

The Slashdot and Hacker News threads on this one went exactly how you’d expect — passionate, polarized, and occasionally brilliant:

• The realist take: “The moment a license is commercial-use-restricted, it’s not open source. Enterprises will fork it before the license change or just use the last MIT-licensed version forever.”
• The corporate take: “Large companies want a throat to choke. The moment they pay an ongoing contract, it becomes a financial and strategic decision — vendor management, risk analysis, tech downselection.”
• The maintainer take: “You can’t live off one-off charity donations. Depending on what people put in a tip jar is no way to fund anything of value.”

The fundamental problem everyone agrees on: the status quo is broken. Nobody agrees on what replaces it.

Companies have no idea what open source they’re running or who maintains it. That’s a compliance nightmare — and your opportunity.

Map dependency trees, flag abandoned packages, identify license risks, and charge companies $2K-$10K per audit. Tools like Snyk, FOSSA, and Trivy do parts of this, but most mid-size companies need a human to explain it to their legal team.

Example: A freelance DevSecOps consultant in Lisbon, Portugal started offering “open source health checks” to fintech startups using a combination of Trivy scans and manual review. She charges €3,000 per engagement and does two per month alongside her day job.

Timeline: First client within 2-3 weeks if you already have DevOps experience and a LinkedIn presence in tech

If you maintain an open source package — even a small one — you can offer paid support contracts directly to companies using it. Tidelift already does this as a marketplace, but you can also do it independently.

Put a FUNDING.yml in your repo, set up GitHub Sponsors, and directly reach out to companies in your download logs. Even a package with 10K weekly downloads has commercial users who’d pay $500/month for guaranteed response times.

Example: A developer in Kraków, Poland maintained a niche Python data validation library. He noticed a Fortune 500 company in his download stats, cold-emailed their engineering lead, and signed a $1,200/month support contract within two weeks.

Timeline: 1-2 months to land your first contract if you already maintain a package with commercial users

With 95% of bug bounty submissions now being AI-generated garbage, maintainers are drowning. Offer to be the filter.

Set up as a third-party triage service: you review incoming vulnerability reports for open source projects, separate real bugs from AI slop, and give maintainers a clean queue. Charge per project or per month.

Example: A security researcher in São Paulo, Brazil pitched a $800/month triage service to three mid-size open source projects after reading about cURL’s bug bounty shutdown. Two signed up within a month. He spends about 10 hours/week filtering submissions.

Timeline: Active within 2-4 weeks if you have security experience and can demonstrate value with a free trial week

The EU’s Cyber Resilience Act (CRA) is making open source compliance mandatory for products sold in Europe. Most companies have zero idea how to handle this. Be the person who explains it.

Focus on small-to-mid European companies shipping software with open source components. They need SBOM (Software Bill of Materials) generation, license auditing, and CRA compliance documentation.

Example: A former sysadmin in Rotterdam, Netherlands got CRA-certified through a Linux Foundation course, then started consulting for Dutch IoT startups at €150/hour. She books about 20 hours/month, all through word-of-mouth referrals in local tech meetups.

Timeline: 1-3 months including certification; first paid engagement within a month after that