Businesses are simply not in the business of fair dealing. Those prioritizing their own concerns are simply doing what the law or the software license allows. The problem is not payment; it is permission – many popular open-source licenses are extremely permissive while lacking the reciprocity requirements of copyleft licenses. Licenses like the Apache license and the MIT license offer a lot and ask very little.

"Open source maintainers create massive amounts of value and capture almost none of it," said Feross Aboukhadijeh, an open-source developer who runs Socket, in an email to The Register. "Many of the most important open source projects that power the Fortune 500 are maintained by volunteers in their spare time, after work hours.

"The software industry needs to find a way to help maintainers start capturing at least a portion of the value they create so they can continue to write new features, fix bugs, improve documentation, and most importantly, fix critical security issues in a timely manner.

Aboukhadijeh added that the Log4j incident also illustrates how almost no company using open-source code in their applications bothers to review it.

"At the end of the day, companies are responsible for ensuring the code they ship to production is safe, secure, and reliable," he said.