online reviews
Take it as read
parallax background

Open secret

Open-source software runs the world. But who pays for it?

May 7, 2026

5 min read

By

May 7, 2026

By

5 min read

open source software

Photo: Dreamstime.

In March 2024, Andres Freund, a Microsoft database engineer benchmarking PostgreSQL on a Debian test machine, noticed that secure-shell logins were taking 500 milliseconds longer than usual. Half a second. Most engineers would have blamed the network and moved on. Freund kept digging. Within days he had uncovered a backdoor buried in XZ Utils, a compression library carried by nearly every Linux distribution on earth. America’s Cybersecurity and Infrastructure Security Agency logged the flaw as CVE-2024-3094 and assigned it a severity score of 10, the maximum. Had the malicious code reached production releases of Red Hat or Ubuntu, it would have handed its operators remote root access to a sizeable share of the world’s servers.

‘Jia Tan’, the alias of XZ’s mole, had spent two and a half years earning co-maintainer status, before slipping malicious code into versions 5.6.0 and 5.6.1. The patience of the campaign disturbed investigators most. Open-source software, the connective tissue of the modern internet, had come within weeks of its largest single compromise.

The story behind the near-miss began in 1983, when Richard Stallman, then a programmer at MIT, launched the GNU project to build a free clone of Unix, the dominant operating system of the era. His General Public Licence, published six years later, contained a piece of legal jujitsu: anyone could reuse the code, provided their derivative work remained open. In August 1991, a 21-year-old computer-science student in Helsinki named Linus Torvalds posted to a Usenet newsgroup announcing what he described as “just a hobby, won’t be big and professional like gnu”. That hobby, the Linux kernel, married to GNU’s tools, became the operating system that today powers Android phones, stock exchanges and most of the internet’s servers. The phrase ‘open-source software’ entered the lexicon only in February 1998, repackaging Stallman’s free-software ideology in language palatable to corporate procurement departments.

The Linux Foundation’s October 2025 survey of 851 organisations found open-source software in 55 per cent of corporate operating systems, 49 per cent of cloud and container deployments, and 46 per cent of database installations. Some 83 per cent of respondents described it as valuable to their organisation’s future; 46 per cent reported a rise in the business value derived from it over the past year. Artificial intelligence sits at the cutting edge of the trend. Thirty-eight per cent of respondents named AI as the technology that benefits most from being open source, a statistically significant five-point jump from 2024.

From bazaar to cathedral

Only 34 per cent of organisations surveyed had a defined open-source strategy; 26 per cent maintained an Open Source Program Office; 31 per cent ran automated security-testing tools against the components they pulled from public repositories. Seventy-one per cent nonetheless expected sub-12-hour support responses for production incidents, and 53 per cent wanted long-term support guarantees. Volunteer maintainers, however well meaning and motivated, cannot honour service-level agreements.

Harvard Business School’s Manuel Hoffmann, in a 2024 working paper, put the demand-side value of open-source software at 8.8 trillion US dollars (roughly what it would cost humanity to rebuild from scratch), against an estimated four billion US dollars in supply-side investment. Companies harvest enormous value from code they have not paid for; the ecosystem supplying it grows steadily more fragile. The economics of free-riding rarely reveal themselves so plainly.

In January 2025, DeepSeek, a Chinese laboratory spun out of a quantitative hedge fund, released the weights of its R1 reasoning model under an MIT licence, the most permissive available. The model rivalled OpenAI’s proprietary equivalents on benchmarks while costing a fraction to train. Other Chinese labs, Alibaba’s Qwen and Moonshot’s Kimi K2 among them, followed in quick succession. By August 2025 OpenAI itself had relented, releasing its GPT-OSS models openly while its chief executive Sam Altman conceded that the firm had been “on the wrong side of history”.

Germany’s Sovereign Tech Fund, launched in October 2022 by the Federal Ministry for Economic Affairs and Climate Action, has put more than 24 million euros into around 60 projects, including cURL, FreeBSD, GNOME, OpenSSL and PHP. Its annual budget reached 17 million euros in 2025, and the agency is now hiring a new head to scale operations up. A feasibility study published in July 2025 by OpenForum Europe, the Fraunhofer Institute and the European University Institute, commissioned by GitHub, proposes a pan-European version with a minimum 350 million euros budget drawn from the EU’s 2028-35 financial framework.

The European Cyber Resilience Act, which entered into force in December 2024 and becomes fully applicable in December 2027, will require any manufacturer placing software on the EU market to take active responsibility for the security of its open-source dependencies. Vulnerability reporting obligations kick in from September 2026. Manufacturers who fix flaws in upstream projects will be legally encouraged, under Article 13(6), to contribute those fixes back. Companies that have happily consumed without contributing will find the bill arriving in instalments.

The Open Source Security Foundation and OpenJS Foundation, in a joint statement issued shortly after the XZ disclosure, warned that compliance-conscious companies might simply offload paperwork onto people who write code in the evenings. Some maintainers have welcomed structured funding. Others share the foundations’ worry. The bazaar has acquired regulators, accountants and budget lines. New contributors have proved harder to come by.

The bazaar has become the cathedral. Whether its congregations will pay for the upkeep is the question that will define open source’s next decade.

Photo: Dreamstime.

Reinvantage Insight

Reinvantage Insight

The byline Reinvantage Insight is used to denote articles to which several members of the Reinvantage insight and analysis team may have contributed.

Share

You might also find these insightful

Case study: Global technology company

1. The Client

A global technology company operating across EMEA, with a regional HQ in Istanbul. The company manages 20+ markets, handling everything from brand campaigns to strategic partnerships.

Role we worked with: The EMEA Head of Marketing (supported by two regional managers).

2. The Challenge

Despite strong products and a respected global brand, the regional team was struggling with:

  • Misaligned strategy across markets → campaigns executed with inconsistent narratives.
  • Slowed growth → lead generation plateaued despite increasing spend.
  • Internal friction → marketing, sales, and product teams disagreed on KPIs and priorities.

Traditional fixes (more meetings, more reporting) only created more noise.

3. The Sprint

We ran a 10-day Remote Reinvention Sprint with the regional HQ team.

  • Day 1–3: Intake → Reviewed decks, campaign data, and plans.
  • Day 4: Sprint Session (90 mins) → Breakthroughs:
    • Sales and marketing had different definitions of “qualified lead.”
    • 40% of spend was going into low-potential markets.
    • The team assumed the problem was lack of budget, but it was actually lack of alignment.
  • Day 5–10: Synthesis → Insights distilled into a Clarity Brief + Insight Canvas.
4. The Breakthrough

The Sprint uncovered that the issue wasn’t budget, but fragmentation.
Three sharp insights unlocked a way forward:

  1. Unified KPIs bridging marketing + sales.
  2. Market prioritisation → shifting budget to 5 high-potential markets.
  3. Simplified narrative → one EMEA core story, locally adaptable.
By just realigning resources and focus, the client could unlock an estimated £250,000 in efficiency gains within the next 12 months — far exceeding the Sprint’s value guarantee. The path to higher returns was already inside the business, hidden by misalignment.
5. From Sprint to Action (4 Pillars Applied)

With clarity secured, Reinvantage didn’t suggest “more projects.”

Instead, we used the Sprint findings to create laser-focused next steps — drawing only from the areas that would deliver the most impact:

  • Readiness → Alignment workshops for sales + marketing teams. New playbooks clarified “qualified lead” definitions and reduced internal disputes.
  • Foresight → A market-opportunity scan identified which 5 countries would deliver the highest ROI, removing the guesswork from allocation.
  • Growth → Guided the reallocation of €2M budget and designed a phased rollout strategy that protected risk while maximising return.
  • Positioning → Built a messaging framework balancing global consistency with local nuance, ensuring campaigns spoke with one clear voice.

Because the Sprint had stripped away noise, these actions weren’t generic consulting ideas — they were directly tied to the breakthroughs.

6. The Results
  • +28% increase in qualified leads across the region.
  • 30% faster campaign rollout due to streamlined approvals.
  • Budget efficiency gains → €2M redirected from low-return to high-potential markets.
  • Internal cohesion → marketing + sales now use a single shared dashboard.
The client came in believing they needed more budget.
The Sprint revealed that what they really needed was clarity and alignment.

With that clarity, the four pillars became not theory, but practical tools to deliver measurable impact.

The Sprint guaranteed at least £20,000 in value — but in this case, it helped unlock more than 10x that within six months.

Case study: Regional VC fund & accelerator

1. The Client

A regional venture capital fund and accelerator focused on early-stage tech start-ups in the Baltics and Central Europe.

The fund had raised a new round and was under pressure to deliver stronger returns while also building its reputation as the go-to platform for founders.

Role we worked with: Managing Partner, supported by the Head of Portfolio Development.

2. The Challenge

Despite a promising portfolio, results were uneven.

Key issues:

  • Scattered portfolio support → no consistent playbook for start-ups, every partner did things differently.
  • Weak differentiation → founders and co-investors saw the fund as “one of many” in the region.
  • Stretched team → too many small bets, not enough clarity on which companies to double down on.

The leadership team knew something was off, but disagreed on whether the issue was pipeline quality, market conditions, or internal capacity.

3. The Sprint

We ran a 10-day Remote Reinvention Sprint with the partners and portfolio team.

  • Day 1–3: Intake → Reviewed pitch decks, pipeline funnel data, and start-up performance reports.
  • Day 4: Sprint Session (90 mins) → Breakthroughs:
    • No shared definition of a “high-potential founder.”
    • Support resources were spread too thin across the portfolio.
    • The fund’s positioning was more reactive than proactive — it didn’t own a distinctive narrative in the market.
  • Day 5–10: Synthesis → Insights consolidated into a Clarity Brief + Insight Canvas.
4. The Breakthrough

The Sprint revealed that the challenge wasn’t pipeline quality — it was lack of focus and positioning.

Three core insights provided the turning point:

  1. Portfolio Prioritisation Framework → defined clear criteria for where to double down.
  2. Founder Success Playbook → standardised support model for portfolio companies.
  3. Differentiated Narrative → repositioned the fund as “the accelerator of reinvention-ready founders.”
These shifts alone gave the fund a path to add an estimated £2M+ in portfolio value over the following 18 months, by concentrating capital and resources where they could move the needle most.
5. From Sprint to Action (4 Pillars Applied)

With clarity from the Sprint, Reinvantage created a tailored support plan:

  • Readiness → Coached partners on using the new prioritisation framework and trained the team on deploying the Founder Success Playbook.
  • Foresight → Ran scenario analysis on regional tech trends, helping the fund anticipate where capital would flow next.
  • Growth → Guided resource reallocation across the portfolio and supported new co-investor pitches for top-performing start-ups.
  • Positioning → Crafted a sharper brand story for the fund, positioning it as the reinvention partner for globally minded founders.
6. The Results
  • 10 portfolio companies onboarded to the new Playbook → greater consistency of support.
  • Raised follow-on capital for 3 top start-ups with the new prioritisation framework.
  • +26% increase in inbound deal flow from founders citing the fund’s new positioning.
  • Stronger internal cohesion → partners aligned on where to focus resources.
The client thought the problem was pipeline quality.
The Sprint showed it was actually lack of clarity and focus inside the firm.

By applying the four pillars, Reinvantage helped turn scattered effort into concentrated value creation.

The Sprint guaranteed at least £20,000 in value; here it set the stage for multi-million-pound upside in portfolio growth.

Case study: International impact Organisation

1. The Client

A large international impact organisation focused on entrepreneurship and economic empowerment.
The organisation runs multi-country programmes across Eastern Europe and Central Asia, often in partnership with global donors and corporate sponsors.

Role we worked with: Senior Programme Director, responsible for regional coordination.

2. The Challenge

The organisation had launched a flagship regional initiative supporting women entrepreneurs, but the programme was underperforming.

Key issues:

  • Fragmented delivery → each country office interpreted the programme differently.
  • Donor frustration → reporting lacked consistency and clear impact metrics.
  • Lost momentum → staff energy was spent on administration rather than scaling success stories.

Traditional programme reviews had produced long reports, but no real alignment or action.

3. The Sprint

We ran a 10-day Remote Reinvention Sprint with the regional leadership team and representatives from two country offices.

  • Day 1–3: Intake → Reviewed donor reports, programme KPIs, and field feedback.
  • Day 4: Sprint Session (90 mins) → Breakthroughs:
    • Donors cared about quantifiable outcomes, but reporting focused on stories.
    • Staff were duplicating efforts across countries, wasting time and resources.
    • The initiative lacked a clear theory of change — everyone described its purpose differently.
  • Day 5–10: Synthesis → Insights distilled into a Clarity Brief + Insight Canvas.
4. The Breakthrough

The Sprint revealed that the issue wasn’t donor pressure or programme design — it was a lack of shared framework and alignment.

Three critical insights reshaped the path forward:

  1. One Unified Theory of Change → agreed narrative for why the programme exists.
  2. Core Impact Metrics → clear, comparable KPIs across all countries.
  3. Smart Resource Sharing → digital hub to stop duplication and accelerate knowledge flow.
By eliminating duplicated reporting and clarifying what success looks like, the client saw they could save the equivalent of £100,000 in staff time annually — while also unlocking stronger donor confidence and follow-on funding opportunities.
5. From Sprint to Action (4 Pillars Applied)

Armed with Sprint clarity, Reinvantage proposed a laser-focused support plan:

  • Readiness → Trained programme leads on using the new metrics and integrated them into existing workflows.
  • Foresight → Analysed donor trends and expectations, aligning the initiative with the next funding cycle.
  • Growth → Developed a funding case based on the new unified theory of change, securing higher renewal chances.
  • Positioning → Crafted a regional success narrative and storytelling toolkit, helping them showcase results consistently across markets.
6. The Results
  • 30% less time spent on reporting → freed capacity for programme delivery.
  • Donor satisfaction improved → positive feedback on the clarity of impact evidence.
  • Secured new funding commitment → one major donor increased their contribution by 20%.
  • Stronger internal morale → staff felt they were working with clarity, not chaos.
The client thought it needed better donor management.
The Sprint revealed it needed a shared foundation across its teams.

By anchoring on the four pillars, Reinvantage turned alignment into efficiency gains and fresh funding opportunities.

The Sprint guaranteed at least £20,000 in value; here it unlocked both six-figure savings and future-proofed funding.

Case study: National digital development agency

1. The Client

A national digital development agency tasked with driving the government’s digital transformation agenda, including e-services, citizen portals, and smart city pilots.

Role we worked with: Director of Digital Transformation, supported by IT and service delivery leads from three ministries.

2. The Challenge

The agency had strong political backing but faced hurdles in implementation.

Key issues:

  • Siloed projects → each ministry developed digital tools independently, leading to duplication.
  • Citizen frustration → services were digital in name, but still required multiple logins and offline steps.
  • Funding pressure → international partners demanded clearer impact in the short term.

The agency wanted to accelerate momentum but struggled to get alignment across ministries.

3. The Sprint

We ran a 14-day Immersive Reinvention Sprint with the agency’s leadership and digital focal points from three ministries.

  • Day 1–3: Intake → Reviewed strategy docs, donor reports, and citizen feedback data.
  • Day 4: Immersive Sprint Session (half-day) → Breakthroughs:
    • Each ministry had different definitions of “digital service.”
    • 20% of budget was going into overlapping pilot projects.
    • Citizens’ top frustrations were known — but not prioritised.
  • Day 5–14: Synthesis → Insights consolidated into a Clarity Brief + Insight Canvas.
4. The Breakthrough

The Sprint revealed that the biggest blocker wasn’t lack of funding, but lack of shared priorities.

Three practical insights stood out:

  1. One Definition of Digital Service → agreed across ministries.
  2. Quick-Win Prioritisation → focus on top 3 citizen pain points (ID renewal, business registration, healthcare booking).
  3. Shared Resource Map → pool budgets to eliminate duplication.
These changes alone allowed the agency to unlock £75,000 in immediate savings and deliver 2–3 visible improvements in the next quarter — meeting donor expectations and building citizen trust.
5. From Sprint to Action (4 Pillars Applied)

Based on the Sprint clarity, Reinvantage proposed a modest, targeted package of support:

  • Readiness → Facilitated inter-ministerial workshops to embed the “one digital service” definition.
  • Foresight → Analysed citizen feedback trends to shape the quick-win roadmap.
  • Growth → Supported the reallocation of funds to joint projects, reducing overlap.
  • Positioning → Crafted a communication plan highlighting early digital wins to donors and citizens.
6. The Results
  • 2 pilot services integrated into the central portal (ID renewal + healthcare booking).
  • Budget savings of £75,000 from eliminating overlapping projects.
  • Citizen satisfaction up modestly → call centre complaints on digital services dropped by 12%.
  • Donor confidence improved → short-term impact report received positive feedback.
The client thought it needed more funding and bigger projects.
The Sprint revealed it first needed clarity and alignment.

By applying the four pillars to a targeted scope, Reinvantage helped deliver visible results within a single quarter — proving progress to citizens and donors and laying the groundwork for deeper transformation.

You must be logged in to view this page. Login here.

Bridging the Reinvention Gap: Fill this form and get your preview copy immediately.

Future of IT: Fill this form and get your preview copy immediately.

War for Talent: Fill this form and get your copy immediately.

The Voice of Ukrainian Start-ups: Fill this form and get your copy immediately.

The uncounted engine: Ukraine’s start-up rise. Fill this form and get your copy immediately.

The Investment Promotion Playbook 2025: Fill this form and get your preview copy immediately.

The Reinvention Masterclass for Start-up Founders: Join the private cohort

Beyond Borders: Join the private edition