Profero logo
Company
Resources
BlogGithub
CareersTrust Portal
Under Attack?Get Started
Blog

OSS Getting Hammered for BigCorp Failures

By
December 20, 2021
Share this post

https://profero.io/blog/oss-getting-hammered-for-bigcorp-failures

Everyone heard of log4j by now

You might not know what the log4j vulnerability is, or what it means — but the memes are everywhere!

The log4j vulnerability has developed to nothing less than a wide scale catastrophe. it seemed that anywhere you look, new issues revolving log4j are found in anything that runs Java. And to make things worse, its as if there is no one to blame as this is open source.

The OSS model is broken

It is true that the Open Source Software (OSS) model is broken, as Filippo Valsorda so eloquently wrote in his blog titled “PROFESSIONAL MAINTAINERS: A WAKE-UP CALL”.

This issue is deeper than developers getting recognition or payment. The problem is in the very structure of how these products work and allocate resources to resolve issues.

It is easy to think of an open source library as someone else’s problem. You don’t pay for it, and thus you don’t actually care. But as soon as there are problems, we look for someone to take the blame.

https://www.reddit.com/r/cscareerquestions/comments/rehnfm/log4j_has_officially_ruined_my_weekend

In the reddit thread above, an emotional outburst was directed at the entire situation and the developers in particular. This is not an isolated case, we saw this happen on Twitter, in WhatsApp groups and other places people vent their feelings.

Who is responsible?

Reviewing the list of vendors and products affected by log4j is astounding. For example, in this list, maintained by CISA the list just goes on and on. A huge list of big name corporations most affected to some degree by this vulnerability, and by extension using that open source package in their product.

This library is maintained by just a few people, in their spare time, and not getting paid to do that.

https://github.com/apache/logging-log4j2/graphs/contributors

The amount of capital built on top of their work and dedication is staggering. The expectation that a couple of people in their free time can dedicate the resources, QA, security audits etc. available to large corporations is just absurd. But, this is the OSS model.

What is really the issue is that people have begun bashing and blaming the maintainers for this library for the vulnerability.

From our view point at Profero this is absurd. All software products have bugs and vulnerabilities, but the amount of memes, comments and harsh language really shift the discussion from where we think it should be.

Where are the companies profiting from their work?

Obviously a huge list of companies made use of their library to build their product and make money off of it. None of it flowed back to the project. such a huge piece of the infrastructure, and not one of these companies is stepping forward to fund, in any degree, the work that was done, or needs to be done.

How can we make the situation better?

Although we do not use Java at all in our technical stack, we decided that the right thing to do was to pledge a donation of $5,000 to the project to make a statement.

Open Source projects need funding, and if we, a company that does not use the library at all, can donate, the large multi-national corporations can fund it a hundred times over. Even more so, considering that is one of the core capabilities of their product.

We invite every company affected (and on those lists) to do the minimal effort of donating to the success of the project, to compensate the developers and maintainers for their sleepless nights supporting their product through building open source software.

https://external-preview.redd.it/pnAaeRJ0qFAFGFpN7kYzHFPxnuswOn5zVEh6zwFnkRc.jpg

‍

Share this post

Related posts

Read related insights

View all

AtomicStealer Spreading via Fake Apple Support Websites

Uncovering AtomicStealer campaign using a fake Apple Support website designed to trick users into running a malicious bash command, infecting their machine.

Read Now

The $5 Million Letter: When Physical Mail Becomes Digital Extortion

How sophisticated criminals are using old-school tactics and psychological warfare to extort businesses without ever touching their systems

Read Now

New Attack Vector - AI - Induced Destruction

The New Attack Vector No One Saw Coming, how "helpful" AI assistants are accidentally destroying production systems - and what we're doing about it.

Read Now
View all
Profero logo
Subscribe
By subscribing you agree to with our Privacy Policy and provide consent to receive updates from our company.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Solution
Get StartedUnder Attack?
About
CompanyCareers
Resources
BlogGithubTrust Portal
Contact
X/Twitter
LinkedIn
© 2024 Profero. All rights reserved.
Privacy PolicyTerms of Service
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
ManageDenyAccept
Privacy Preferences
Essential cookies
Required
Marketing cookies
Personalization cookies
Analytics cookies
Reject all cookiesAllow all cookiesSave preferences