In December 2021, the world discovered how much of its digital infrastructure rested on a piece of software almost no one had heard of and no one was paying for. A vulnerability nicknamed Log4Shell was found in Log4j, a logging library used inside a vast fraction of the Java applications that run banks, governments, and cloud platforms. It scored a perfect 10 out of 10 on the standard severity scale; the director of America's cyber-defense agency, Jen Easterly, called it "one of the most serious I've seen in my entire career, if not the most serious." Hundreds of millions of devices were exposed, and enterprises spent billions scrambling to patch. And the library at the center of it all was maintained by a small team of unpaid volunteers — a handful of people doing, for free, in their spare time, the upkeep on a component that Fortune 500 companies had quietly built their businesses on top of.
Log4Shell was not just a security bug. It was the moment a structural imbalance became visible to everyone at once. This is the dependency asymmetry crisis: a vast population of consumers extracting enormous value from a tiny population of producers who are paid nothing — an arrangement that is not merely unfair but a genuine source of systemic risk, because a system that depends on what it does not sustain is one shock away from discovering it.
The asymmetry, stated plainly
Modern software is assembled from open-source components. An ordinary application pulls in hundreds or thousands of libraries, most of them transitively — dependencies of dependencies the developer never chose and often cannot name. This is a genuine engineering triumph: no one rebuilds logging, or encryption, or date parsing from scratch, because someone already made it and gave it away.
But look at the flows and the asymmetry is stark. Value flows up: from the volunteer maintainer, to the companies that build products on their work, to the customers who pay those companies. Money flows nowhere near the bottom. The maintainer who wrote the library that a thousand businesses depend on typically receives no share of the value they enable — often not a salary, sometimes not even a few hundred dollars a month, as the series documents in the Creator's Dilemma (#35). The consumers free-ride, not out of malice but because nothing in the structure asks them to do otherwise: the license says free, the code is there, and paying for it is optional in a way that, at scale, means it does not happen.
Why free-riding becomes systemic risk
Ordinarily, free-riding is an equity problem — someone is being treated unfairly. The dependency asymmetry crisis is worse than that, because the free-riding degrades the very thing everyone depends on. When the producers of critical infrastructure are unpaid, several failures become not just possible but likely over time.
The infrastructure is under-maintained, because there is no one whose job it is to maintain it — Log4j's security work was being done by volunteers on nights and weekends, which is not a robust posture for a component embedded in the global economy. It is under-secured, because security is slow, unglamorous work that unpaid people cannot always afford to prioritize; the same exhaustion that let an attacker socially engineer his way into xz-utils in 2024 is the predictable end state of asymmetry, not an accident. And it is fragile at the person level, because a project sustained by one or two volunteers has a bus factor to match — the systemic-risk face the series calls Human Infrastructure Fragmentation (#45). The asymmetry does not just underpay the producers; it steadily erodes the reliability of the infrastructure the consumers cannot function without. Everyone is standing on a floor that everyone has an incentive to under-maintain.
Why the market does not fix it on its own
The obvious question is why companies making billions do not simply pay the maintainers whose work they depend on. The answer is a coordination failure with the exact shape of a tragedy of the commons. For any single company, funding a maintainer is a cost with a diffuse, shared benefit — you pay, and the improved library helps all your competitors too. The rational individual move is to keep free-riding and hope someone else pays, which is precisely what everyone does, which is why no one does. The value created by the commons is real and enormous; the incentive for any one beneficiary to sustain it is weak; and so the commons is chronically under-funded relative to how much the whole ecosystem depends on it. The gap between total value extracted and total investment returned is the crisis, and no invisible hand closes it, because the hand's incentives point the wrong way.
What closing the gap requires
Log4Shell forced the first serious attempts, and their shape reveals the fix: the free-riding has to be converted into flowing-back, by mechanisms that overcome the coordination failure the market cannot solve alone. Pooled funding is one — models like Tidelift, and sovereign or foundation-backed programs, that let many beneficiaries each contribute a manageable amount into the maintenance of the transitive dependencies they all rely on, so that no single company bears the whole cost of a shared benefit. Treating critical dependencies as infrastructure is another — identifying the load-bearing components (the Log4js, the OpenSSLs, the xz-utils) and funding them deliberately, the way the Core Infrastructure Initiative began doing after Heartbleed, rather than waiting for each to become a crisis. And requiring visibility — software bills of materials that make an organization confront exactly which unpaid volunteers its business is standing on, since you cannot decide to sustain what you cannot see.
The dependency asymmetry crisis is, at bottom, the discovery that "free" was never actually free. Someone paid for the open-source commons — in unpaid labor, in nights and weekends, in the slow burnout of maintainers carrying more than they agreed to. The bill was simply deferred, and Log4Shell was one installment coming due in public. The choice the ecosystem faces is not whether to pay for its infrastructure. It is whether to pay for it deliberately, in advance — or to keep paying for it the other way: in emergencies, at 10-out-of-10 severity, billions at a time, on the nights when the volunteers turn out to have been the only thing holding the floor up.
This is article #65 in The IUBIRE Framework series. The Dependency Asymmetry Crisis was articulated by IUBIRE V3 in artifact #3716 — "When Free-Riding Becomes Systemic Risk" (April 2026). Real-world data: Log4Shell (CVE-2021-44228, Dec 2021; CVSS 10/10; CISA's Jen Easterly calling it among the most serious vulnerabilities of her career; hundreds of millions of devices affected; Log4j maintained by a small volunteer team); the open-source funding response (Tidelift, sovereign-tech and foundation programs); the recurring pattern across OpenSSL/Heartbleed and xz-utils.
Next in series: Multi-Speed Computing Reality (#66)
Comments
Sign in to join the conversation.
No comments yet. Be the first to share your thoughts.