Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Apache Foundation Calls Out Open-Source Leechers

The Apache Software Foundation (ASF) is calling out for-profit companies leeching on open-source code, warning that “only a tiny percentage” of downstream vendors are contributing to securing the open-source ecosystem.

The Apache Software Foundation (ASF) is calling out for-profit companies leeching on open-source code, warning that “only a tiny percentage” of downstream vendors are contributing to securing the open-source ecosystem.

“[The] community is defined by those who show up and do the work. Companies that build open source into their products rarely participate in their continued maintenance,” the ASF said in a position paper published ahead of a high-level White House meeting on open-source software security. 

“Only a tiny percentage of downstream companies (reusing the same code within their own products) choose to participate [in maintaining the code],” the Foundation said, noting that any future directives must “avoid placing additional unfunded burdens on the few maintainers who are already doing the work.”

The foundation’s statement comes on the heels of the ongoing Apache Log4j incident where a remote code execution vulnerability in a little-known Java-based logging utility led to a global incident response crisis.

The ASF described the Log4j vulnerability as “an unfortunate combination of independently designed features within the Java platform” and argued that disabling antiquated and unnecessary default features would have prevented the issue.

[ READ: Google Finds 35,863 Java Packages Using Defective Log4j ]

“One of the most valuable things businesses that use open source can do is contribute back.  Help fix bugs. Conduct security audits and feed back the results.  Cash, while welcome and useful, isn’t sufficient.  We eagerly welcome audits and fixes from any source,” the Foundation said.

The ASF also used its position paper to criticize businesses for poor patch management practices that leave gaping holes exposed long after patches are released.

“Log4j and HeartBleed are being used as examples of open source vulnerability risks but it must be remembered that once these issues were reported to their respective projects they were dealt with quickly and efficiently.   What caused these, and other vulnerabilities, such as the Apache Struts issue in 2017, to be widely exploited was a failure of businesses to mitigate in a timely manner: either by updating to a new release or applying mitigations,” the ASF said.

[ READ: Exploits Swirling for Major Security Defect in Apache Log4j ]

“While part of the solution may be to ensure companies know what they’ve included in their supply chain, they will also need to have processes for rapidly handling and disclosing vulnerabilities in their dependencies. Users of open source software also need to keep track of lifecycles and ensure the projects they are using are still getting security updates,” it added.

“We can’t fix open source supply chain issues by focusing exclusively on the upstream producer,” the group warned, noting that even perfect software releases can take years to be adopted and deployed by downstream providers.

The ASF is considered one of the largest open source organizations in the world, managing hundreds of widely deployed projects that include Apache Hadoop, Apache Tomcat and Apache Cassandra.  

Related: Attackers Hitting VMWare Horizon Servers With Log4j Exploits

Related: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw

Related: Google Finds 35,863 Java Packages Using Defective Log4j

Related: Exploits Swirling for Major Security Defect in Apache Log4j

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.