From b4498bff143d63ed9e8d8c8881214d9503cd2f62 Mon Sep 17 00:00:00 2001 From: Max Howell Date: Wed, 1 Nov 2023 12:06:12 -0400 Subject: [PATCH] Fix Foundatio[n --- white-paper.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/white-paper.md b/white-paper.md index 2e370e7..6d8235c 100644 --- a/white-paper.md +++ b/white-paper.md @@ -33,7 +33,7 @@ Enterprise software, which has grown into a multi-billion dollar industry, is bu We believe that the potential of the modern-day internet has been stunted by relying on a small percentage of the world’s engineers to maintain open-source software purely out of altruism. Open-source is a labor of love often hindered by a lack of meaningful incentives for core maintainers. Open source developers must choose between a day job that provides living wages or maintaining the very foundation of enterprise software. A lack of incentives results in genuinely worthwhile projects never reaching their potential while others suffer from security issues due to a lack of upkeep throughout the software’s lifecycle. To unlock the full potential of open-source, we require a universal method for assessing the “fair value” of open-source projects, enabling open-source developers to capture the value they create by facilitating capital inflows to the open-source community, all without altering the core principles of how open-source is developed and used. -Enterprises often wrap business models around open-source, generating revenue directly from the work of the benevolent developers while also relying on them to fix bugs as issues occur. Open-source codebases offer plug-and-play core functionality for enterprises; however, software vulnerabilities can pose an immense risk for applications built on top of open-source. A great example is a recent incident involving a critical security vulnerability in Log4j, a package from the [Apache Software Foundatio](https://www.apache.org/)n that found its way across many commercial software and services employed by enterprises and governments. In November 2021, a security researcher working for [Alibaba Group Holding Ltd.](https://www.alibabagroup.com/) reported vulnerability [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228), which received the highest possible base score from the Apache Software Foundation. Amit Yoran, Chief Executive of [Tenable](https://www.tenable.com/) and founding director of the United States Computer Emergency Readiness Team (US-CERT), described this vulnerability as “[the single biggest, most critical vulnerability of the last decade](https://www.reuters.com/article/usa-cyber-vulnerability-idCNL1N2SY2PA)”. Panic ensued and the few volunteers who maintained this package came publicly under fire for the failure. After addressing the outrage with a humble plea for fairness, systems got patched. Enterprises and governments eventually realized that Log4j, a package used by a broad range of critical systems for two decades, was maintained by a few unpaid volunteers, the same unsung heroes who sprang into action despite [abuse from the industry](https://twitter.com/yazicivo/status/1469349956880408583) and worked tirelessly to address the vulnerability. +Enterprises often wrap business models around open-source, generating revenue directly from the work of the benevolent developers while also relying on them to fix bugs as issues occur. Open-source codebases offer plug-and-play core functionality for enterprises; however, software vulnerabilities can pose an immense risk for applications built on top of open-source. A great example is a recent incident involving a critical security vulnerability in Log4j, a package from the [Apache Software Foundation](https://www.apache.org/) that found its way across many commercial software and services employed by enterprises and governments. In November 2021, a security researcher working for [Alibaba Group Holding Ltd.](https://www.alibabagroup.com/) reported vulnerability [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228), which received the highest possible base score from the Apache Software Foundation. Amit Yoran, Chief Executive of [Tenable](https://www.tenable.com/) and founding director of the United States Computer Emergency Readiness Team (US-CERT), described this vulnerability as “[the single biggest, most critical vulnerability of the last decade](https://www.reuters.com/article/usa-cyber-vulnerability-idCNL1N2SY2PA)”. Panic ensued and the few volunteers who maintained this package came publicly under fire for the failure. After addressing the outrage with a humble plea for fairness, systems got patched. Enterprises and governments eventually realized that Log4j, a package used by a broad range of critical systems for two decades, was maintained by a few unpaid volunteers, the same unsung heroes who sprang into action despite [abuse from the industry](https://twitter.com/yazicivo/status/1469349956880408583) and worked tirelessly to address the vulnerability. Sadly, Log4j is far from the only example. core-js is downloaded 30 million times per week as the base of every Node.js application, yet it is also barely funded, potentially forcing it’s primary maintainer to [walk away from the project or even change the license to closed source](https://www.thestack.technology/core-js-maintainer-denis-pusharev-license-broke-angry/). Recently several bitcoin core developers resigned, citing, among other reasons, a lack of financial compensation for their decision.