1SECTION 1 · OPENSSL AND THE TWO PEOPLE
GLOBAL INFRASTRUCTURE RUNS ON VOLUNTEERS
In 2014, the Heartbleed vulnerability revealed a critical flaw in OpenSSL — the cryptographic library securing the vast majority of HTTPS connections worldwide. Banks, governments, hospitals, e-commerce platforms, hyperscalers — all depended on OpenSSL. The flaw had existed in the code for two years, undetected. At the time of discovery, OpenSSL was maintained by a team of two full-time people, with an annual budget of approximately $2,000 in donations.
◆ LOG4SHELL — THE 2021 CASE STUDY
Log4j is a Java logging library embedded in millions of applications — from enterprise servers to industrial systems to video game consoles. The Log4Shell vulnerability discovered in December 2021 was rated 10/10 on the CVSS criticality scale. It potentially affected hundreds of millions of systems worldwide. Log4j was maintained by a handful of volunteers, without structured commercial funding. The emergency response to the vulnerability relied on these same volunteers, forced to work without pause for several weeks on a problem whose resolution benefited billion-dollar companies that had contributed nothing to their funding.
◆ THE STRUCTURE OF THE DEPENDENCE
The global software industry is built on an inverted pyramid: billions of dollars in market capitalisation rest, at their base, on open source libraries maintained by dozens or hundreds of people without proportional funding. This pyramid is stable as long as no critical vulnerability appears in the lower layers. When one does, it reveals that the base of the pyramid was made of cardboard.
◆ NASSIHA — OPEN SOURCE IS NOT FREE
Open source is not free. It is funded by the unpaid or underpaid time of its contributors. The "free to use" model defers the cost of development and maintenance onto individuals who bear this cost out of passion, reputation, or idealism — not out of a viable economic model. This invisibility of cost is the source of the vulnerability.