When Anthropic, AWS, GitHub, Google, Microsoft, OpenAI and others announced $12.5 million in grants to strengthen open source security, it sounded like industry responsibility. Do the maths differently and the gesture looks meagre. Those companies boast a combined market value around $7.7 trillion. The grants amount to roughly 16 cents for every $100,000 in market capitalisation.
The problem runs deeper than charitable giving norms. Open source software is typically given away, and since the community often contributes time and efforts freely, up to 86% of open source developers are not paid for their work. Of those few who do receive compensation, the picture is grim. The average open source maintainer works 40 hours per week on their project while earning zero income from it. For the smaller minority earning money, only 26% make more than $1,000 a year.
This economic squeeze has concrete consequences. The maintainer of the open-source tool cURL ended its bug bounty program after being overwhelmed by AI-generated submissions. The issue reflects a broader burden: The grants aim to help maintainers cope with a surge in AI-generated security reports, many of which are fabricated or low quality.
Yet there is an emerging counterargument worth considering. Some industry voices contend that the problem lies not in corporate stinginess but in how open source maintenance is structured. Rather than appealing for charity, they suggest, the ecosystem needs to shift toward contractual relationships. In 2026, observers hope to see major enterprises formalise support contracts or usage-based funding for the libraries they rely on. Several initiatives, including endowment models launched by venture capitalists and developer founders, aim to create sustainable revenue streams instead of one-off donations.
The recent $12.5 million commitment does address a real problem: Alpha-Omega and OpenSSF will work directly with maintainers, and OpenSSF provides the active resources needed to help overworked maintainers process the increasing number of AI-generated security reports. But whether grants and resources prove adequate depends on whether businesses accept that depending on free labour poses genuine financial risk. Shifting from charity to contractual obligation would require a change in how enterprise views maintenance work. That shift has yet to arrive.