Become a subscriber to support MIT Technology Review's journalism.
You would think that the world's biggest tech firms and governments would have hired hundreds of highly paid experts to fix the flaw.
Log4J, a critical piece of core internet infrastructure, was founded as a volunteer project and is still run largely for free, even though many million- and billion-dollar companies rely on it and profit from it every single day. The team is trying to fix it.
This situation is common in the world of open-source software, programs that allow anyone to inspect, modify, and use their code. It is a decades-old idea that is critical to the functioning of the internet. Open-source is a triumph when it goes well. It is a far-reaching danger when it goes wrong.
Filippo Valsorda, a developer who works on open-source projects at Google, says that open-source runs the internet and economy. He says that it is very common for core infrastructure projects to have a small team of maintainers, or even a single maintainer that is not paid to work on that project.
There was no recognition.
When I first contacted him, he told me that the team was working around the clock. My shift ended at 4 a.m.
In the middle of his long days, Yazici took time to point a finger at critics, saying that the maintainers have been working sleeplessly on mitigation measures.
Before the Log4J vulnerability made this obscure but ubiquitous software into headline news, the project lead had a grand total of three minor sponsors backing his work. Goers is in charge of fixing the flawed code and extinguishing the fire that is causing millions of dollars in damage. It is an enormous task for a spare-time pursuit.
Chris Wysopal, chief technology officer at the security firm Veracode, says that the under funding of open-source software is a systemic risk to the United States. Critical infrastructure with Linux, Windows, and the fundamental internet protocols are of importance to the open-source community. The internet has top systemic risks.