Every time you use the internet, you're relying on software built and maintained by unpaid volunteers. Valued at $8.8 trillion, open source infrastructure powers trillion-dollar companies — yet 60% of its maintainers receive nothing. This is the story of civilization's most valuable gift, and the quiet crisis threatening to break it.
The $8.8 Trillion Gift Nobody Pays For
In early 2024, a Microsoft engineer named Andres Freund noticed something strange: a 500-millisecond delay in SSH connections on his personal Linux machine. He spent weeks tracing it. What he found was a meticulously engineered backdoor planted inside XZ Utils — a compression library installed on hundreds of millions of Linux servers — by an attacker who had spent two years befriending and manipulating a burned-out solo maintainer.
One person. One library. One near-miss from what security experts called potentially “the most widespread and effective backdoor ever planted in any software product.”
The internet got lucky. It always does — until it doesn’t.
Before we talk about who maintains the internet, we need to talk about who built it — and the myth that obscures that answer.
In 1675, Isaac Newton wrote: “If I have seen further, it is because I have stood on the shoulders of giants.” He was crediting Copernicus, Kepler, Galileo, Hooke, and Halley. The metaphor itself wasn’t even original — it dates to at least 1123 CE.
Every breakthrough we attribute to a single name was built on a mountain of prior collective work. Einstein’s special relativity resolved a contradiction between Maxwell’s equations (James Clerk Maxwell, 1860s) and Newtonian mechanics — a problem that Lorentz and Poincaré were already circling before Einstein published in 1905. General relativity required Riemann geometry, tensor calculus developed with Marcel Grossmann, and Ernst Mach’s critique of absolute space. Einstein was a genius at synthesis; the raw material was humanity’s.
Marie and Pierre Curie won the Nobel Prize jointly with Henri Becquerel — because the Nobel committee understood that radioactivity was a chain: Röntgen discovers X-rays in 1895, Becquerel discovers radioactivity inspired by Röntgen in 1896, the Curies build on Becquerel from 1897. Darwin and Wallace independently arrived at natural selection simultaneously — the classic case of an idea whose time had come, not a lone stroke of inspiration.
The pattern holds for technology. Tim Berners-Lee built HTML, HTTP, and URLs on top of ARPANET (1969), TCP/IP (Cerf and Kahn, 1974), DNS, and two decades of collectively developed internet protocols. He then refused to patent the web — a deliberate choice to keep it in the commons. When Linus Torvalds announced Linux in 1991, he described it as “just a hobby, won’t be big and professional.” His foundations: Unix (a university course), MINIX (Andrew Tanenbaum’s teaching OS), POSIX standards (collective norms), and the GNU GPL (Richard Stallman’s collective legal framework). The kernel now runs approximately 77% of the world’s servers. https://w3techs.com/technologies/details/os-linux
A 2010 Management Science study analyzing over half a million patents confirmed what the history of science already showed: collaborative inventors are 28% more likely to achieve breakthroughs than lone inventors — and less likely to produce catastrophic failures. https://pubsonline.informs.org/doi/10.1287/mnsc.1090.1072
The internet is not the work of a few visionaries. It is the accumulated gift of generations of scientists, engineers, and volunteers who built on each other’s work and, crucially, shared it.
That gift has a price tag. Harvard Business School calculated in 2024 that open source software would cost $8.8 trillion to rebuild from scratch — and 96% of that value depends on just 5% of contributors. https://www.hbs.edu/ris/Publication%20Files/24-038_51f8444f-502c-4139-8bf2-56eb4b65c58a.pdf
A 2022 Harvard and Linux Foundation study (Census II) found that 136 developers were responsible for more than 80% of all lines of code added to the top 50 most widely-used non-npm open source packages and 23% of projects have a single developer responsible for over 80% of their codebase.
https://www.linuxfoundation.org/research/census-ii-of-free-and-open-source-software-application-libraries
Trillion-dollar companies — Google, Amazon, Microsoft, Meta — run their entire business on top of Linux, OpenSSL, DNS software, Apache, and dozens of non-profit and volunteer projects. They do contribute back but critics argue it is disproportionately small relative to the value extracted.
This is not a bug. It is the architecture.
In April 2014, researchers disclosed a vulnerability in OpenSSL — the encryption library protecting an estimated two-thirds of all encrypted web traffic. The bug, named Heartbleed, allowed attackers to silently read protected memory from any server running it. Passwords, private keys, session tokens — all exposed without a trace.
The cause was almost more alarming than the vulnerability. OpenSSL was maintained by one full-time paid developer, Stephen Henson, funded by approximately $2,000 per year in donations. The Linux Foundation launched the Core Infrastructure Initiative (CII). Google, Microsoft, Amazon, IBM, and Facebook each pledged ~$100,000 per year. https://en.wikipedia.org/wiki/Core_Infrastructure_Initiative
Then the CII was folded into the OpenSSF in 2020. Funding moved on. Maintainers outside the critical list stayed exactly as underfunded as before.
In 2024: XZ Utils. A widely-deployed compression library, one maintainer, two years of patient social engineering by an attacker who exploited not a code bug but a human one — the maintainer’s exhaustion. Only discovered by accident.
Heartbleed did not fix the problem. It paused it.
A 2024–2025 survey found that 60% of open source maintainers receive no payment for their work. Of those, 60% have quit or considered quitting, and 44% cite burnout. https://byteiota.com/open-source-maintainer-crisis-60-unpaid-burnout-hits-44/
Three-quarters of all open source projects are maintained by three people or fewer.
NLnet Labs, the Dutch non-profit maintaining DNSSEC tools and DNS resolver software used by governments and ISPs worldwide, funds its operations through a patchwork: EU research grants, .nl domain registry subsidies, contracted development, support contracts, and grants from Germany’s Sovereign Tech Fund. The people keeping DNS secure are also writing grant applications.
It works — barely, and only because of extraordinary dedication from people who understand they are maintaining collective infrastructure.
The AI boom added a new chapter to a very old story.
AI companies trained large language models on open source code, academic papers, documentation, and decades of freely shared human knowledge — extracting enormous value from the same commons that produced Einstein’s synthesis, the web, and Linux. The companies profiting from this are among the wealthiest in history. Most maintainers whose work formed the training data received nothing.
The licensing backlash followed: BUSL, SSPL, Commons Clause — projects shifting to restrictive licenses specifically to block commercial AI extraction without contribution. But licenses don’t solve a more immediate problem: AI-generated bug reports and pull requests are now flooding maintainer inboxes, each requiring 2–8 hours of unpaid human judgment to evaluate. The people already working for free are now absorbing the operational costs of billion-dollar products.
This is the free-rider problem at civilizational scale — and as WIPO noted in a 2024 working paper, “expansion of patentable subject matter hampers diffusion of technology and is detrimental to follow-on innovation, employment, and economic growth.” https://www.wipo.int/edocs/pubdocs/en/wipo-pub-econstat-wp-77-en-artificial-intelligence-and-intellectual-property-an-economic-perspective.pdf
The pattern is identical to every prior enclosure of collective knowledge: the printing press, vaccine formulas, seed patents, colonial extraction of indigenous technology. Shared knowledge creates progress; enclosed knowledge impoverishes everyone but the encloser.
There is a geopolitical layer to this story that deserves its own deep treatment — and will get it in a future piece. For now, the essential point:
Governments have begun to recognize that open source is not an idealistic hacker project. It is sovereign infrastructure. Nations running their critical systems on foreign proprietary stacks have no real sovereignty.
Germany’s Sovereign Tech Fund has invested €23.5 million across 60+ open source projects — FreeBSD, PHP, Samba, Linux kernel components, NLnet Labs’ DNS tooling.
https://www.sovereign.tech/programs/fund
The EU is building a proposed EU Sovereign Tech Fund to extend the model across member states. Estonia’s minister for digital affairs put it plainly in 2026: “Digital sovereignty is a matter of national survival, not just IT policy.”
Meanwhile, a fragmenting world is producing divergent technology stacks. The same open source principle that built the internet is now being deployed as geopolitical strategy — some nations sharing it to build alliances; others enclosing it to extract competitive advantage.
The collective knowledge model that gave us the internet is now the battleground of a multipolar world. We will go deeper into that dimension in a separate article later…
For now, the core observation is enough: the Sovereign Tech Fund model exists, works, and is being replicated precisely because open source infrastructure and national sovereignty are now the same conversation.
The problem has a name: public goods provision failure ->Everyone uses it BUT no one pays to maintain it!
The solutions that work is to treat open source as global infrastructure — roads, not as proprietary products.
None is sufficient alone. Together they represent a shifting norm: that the collective human achievement of open source software infrastructure has real maintenance costs — and that the people doing the work should be paid.
The question is not whether the current model is sustainable. It isn’t. The question is whether the Sovereign Tech Fund model, the Open Source Pledge, and a slow shift in corporate and governmental norms will scale fast enough — or whether the next 500 milliseconds goes unnoticed…
The people holding the internet together are generous by default — continuing a tradition of shared human knowledge that stretches from Bernard of Chartres to Linus Torvalds’ 1991 announcement. The question is whether the rest of us will honor that tradition, or keep taking it for granted.
“If I have seen further, it is because I have stood on the shoulders of giants.” Isaac Newton
Comments (0)
+ Leave a commentNo comments yet. Be the first!