The $12.5 Million Question

Seven companies worth $10 trillion pledged $12.5 million to open-source security. We followed the money. There wasn't much to follow.
By Nadia Byer · March 26, 2026
The $12.5 Million Question

Seven companies — Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI — announced on March 17 that they would collectively contribute $12.5 million to open-source security through the Linux Foundation.1 Their combined market capitalization exceeds $10.14 trillion.2

$12.5 million is 0.000123% of that figure. If you earn $100,000 a year, that's twelve cents.3

These same companies are spending $660–690 billion on AI infrastructure in 2026.456 The pledge represents 0.0018% of that number. Less than five hours of OpenAI's projected revenue.7 A fraction of a fraction of a fraction of what they extract from the open-source ecosystem every day.

The question is not whether $12.5 million helps. It's whether calling it a commitment with a straight face should count as a form of performance art.

· · ·

They've Done This Before

In May 2022, Amazon, Microsoft, Google, Intel, and others pledged $30 million to the Open Source Security Foundation. It was part of a broader $150 million plan. The announcement came after a White House executive order on software supply chain security. The press coverage was generous.89

Aeva Black led CISA's open-source security program for two years. She watched what happened next.

The commitments "not materialized at the amount promised," leading to "a lot of disappointment."10

Then ChatGPT launched on November 30, 2022. Companies began reassigning their open-source security developers to AI teams. Black said most of the Microsoft experts she worked with on open-source security "have been moved over to AI teams now."10

The pattern is always the same: pledge, press release, pivot.

Corporate sponsorships to the Open Source Collective dropped 23% in 2023 — during an AI boom.11 The money didn't arrive. Companies actively redirected it.

Four years later, the same companies are pledging again. Smaller amounts. Vaguer terms. Identical structure.

· · ·

Show Me the Receipts

Of the seven pledging companies, exactly one disclosed how much it contributed.

AWS committed $2.5 million, directed specifically to Alpha-Omega.12 That leaves $10 million split among Anthropic, GitHub, Google, Google DeepMind, Microsoft, and OpenAI — six entities representing over $7.89 trillion in combined market capitalization — with no public breakdown.

Here is what each company said, and what none of them said:

Anthropic (Vitaly Gudanets, CISO): "give them the resources and tooling to address threats at scale."1

GitHub (Kyle Daigle, COO): Supporting maintainers through "funding, training, and AI-powered tools."1

Google (Evan Kotsovinos, VP): "AI-driven innovation with proven frameworks."1

Google DeepMind (Four Flynn, VP): Turning AI's vulnerability-finding into "a massive defensive advantage."1

Microsoft (Mark Russinovich, CTO): "an important step in democratizing AI-powered defenses."1

OpenAI (Dane Stuckey, CISO): The need for "unprecedented levels of collaboration."1

What none of them disclosed: how much they individually contributed, when the money would be disbursed, to which projects, under what criteria, with what accountability metrics, or by what timeline.

Six companies representing $7.89 trillion in market cap, with undisclosed contributions and no receipts.

· · ·

The Per-Capita Math

Sentry — a developer tools company with roughly 400 employees — pays $750,000 per year directly to open-source maintainers through the Open Source Pledge.13 That's $1,875 per employee.

The seven pledging companies employ, through their parent entities, upward of 800,000 people. $12.5 million divided by 800,000 is $15.63 per employee.2

Sentry pays 120x more per employee than the companies that issued the press release.

Sentry's money goes to projects it depends on. Fifty percent through thanks.dev for automated dependency funding. Roughly a third to foundations — Django, PSF, OpenJS, Rust, PHP. Ten percent to Open Source Collective. Seven percent through GitHub Sponsors.13 No intermediary foundations. No multi-year disbursement timelines. Direct funding to the people who write the code.

The Open Source Pledge's 20-plus member companies collectively sent $3.6 million to maintainers in 2025 — no strings attached.14 HeroDevs committed $20 million through a sustainability fund with grants ranging from $2,500 to $250,000.15 The Open Source Endowment, founded in February 2025, is building a permanent fund with backing from the founders of cURL, Elastic, HashiCorp, Nginx, Pydantic, and Vue.js.16

These are structurally more serious efforts from dramatically smaller organizations. The $12.5 million pledge is what happens when companies that could fund open source permanently choose to fund a press release instead.

· · ·

Tooling for Whom

The pledge funds tooling. Specifically: security tooling for maintainers to triage AI-generated vulnerability reports, AI-powered triage systems, processes for handling AI-generated security findings, and "embedding security experts" in the ecosystem.1

It does not fund maintainers.

60% of open-source maintainers receive no payment.17 Twenty-six percent of those who are paid earn more than $1,000 per year.17 58% have quit or considered quitting — 22% actually left, 36% thought about it.17 The top reasons: other priorities, lost interest, burnout, and not being paid enough.17

Paid maintainers are 55% more likely to implement critical security practices.18 That is the single most effective intervention available. Pay the people who maintain the code, and the code gets more secure. The data is not ambiguous.

The pledge doesn't do that. It builds tools to help unpaid volunteers process the flood of AI-generated security reports that these companies' own AI tools created.

"Grant funding alone is not going to help solve the problem that AI tools are causing today on open source security teams."
— Greg Kroah-Hartman, Linux kernel maintainer19

The logic, step by step:

1. These companies built AI tools that generate security reports at unprecedented scale.
2. Those reports overwhelm unpaid maintainers.
3. The pledge funds tooling to help unpaid maintainers process those reports.
4. The maintainers are still unpaid.
5. The most effective security intervention is paying them.
6. The pledge does not pay them.

It's FOSS ran the headline: "AI Companies Put $12.5M Into Open Source Security to Fix a Problem Their Tools Helped Create."20 That's the article.

· · ·

Day Nine

It has been nine days since the announcement.

As of this writing, no money has been disbursed, no recipients named, no application process announced. There is no disbursement timeline, no accountability metrics, and no disclosed KPIs.21

Six days after the pledge, OpenSSF issued a press release celebrating new members — Helvethink, Spectro Cloud, Quantrexion — a partnership with Kusari for no-cost security tooling, and the SLSA project reaching Graduated status.21 No mention of the $12.5 million.

Alpha-Omega's historical pattern is grants announced, then disbursed over the course of a year.22 If this follows precedent, the money will arrive in fragments over twelve months to a handful of projects. Alpha-Omega spent $5.8 million on 14 projects in 2024 — roughly $414,000 per project per year.22 That doesn't hire a full-time senior security engineer in most U.S. markets.

To be clear: Alpha-Omega does real work. Seventy-plus grants totaling over $20 million. Security teams staffed at the Python Software Foundation, OpenJS, RubyGems, the Linux kernel, Homebrew.22 Rust implementations of TLS. Audits of foundational technologies. The criticism is not fraud. It is scale. The Linux Foundation itself acknowledges "hundreds of thousands of widely used open source components with serious security and maintenance issues."22 $414,000 per project does not address hundreds of thousands of projects.

The press release was the deliverable. The check may or may not be in the mail.

· · ·

What $12.5 Million Isn't

Harvard Business School estimated the demand-side value of open-source software at $8.8 trillion.23 Without it, companies would pay 3.5 times more for equivalent software. Five percent of developers create more than 90% of that value.23

Eighty-nine percent of organizations using AI leverage open-source models.24 Open-source models represent 62.8% of the market by count.24 AI is built on PyTorch, TensorFlow, Hugging Face, Linux, Python, NumPy, Pandas — all open source. The entire AI infrastructure boom runs on code maintained by people who mostly aren't paid.

Maven Central — the Java package registry — handles hundreds of billions of downloads on a shoestring budget. 82% of demand comes from fewer than 1% of IP addresses: the major cloud providers.3 They consume at massive scale. They could run local mirrors. They choose not to.

Steven J. Vaughan-Nichols calculated that the pledge is equivalent to sixteen cents from someone earning $100,000 a year — using a $7.7 trillion market cap figure that excluded private companies.3 Our calculation, including Anthropic's $380 billion valuation and OpenAI's approximately $850 billion, gives twelve cents. Either way: less than a dollar. For the ecosystem their businesses depend on.

"Open source isn't a tip jar — it's time to charge for access."
— Steven J. Vaughan-Nichols3

He's right. Payment should be a cost of doing business, not optional charity from companies that treat the entire open-source ecosystem as free infrastructure.

· · ·

The Pattern

Year Pledge Amount What Happened
2021 Google cybersecurity $10B (broad) / $100M to OSS Partially delivered; ~$15M/yr to OSS25
2022 OpenSSF Summit II $30M+ (of $150M plan) "Not materialized at the amount promised." Devs reassigned to AI.10
2023 Corporate OSS sponsorships drop 23%11
2026 Linux Foundation / OpenSSF $12.5M No disbursement after 9 days. No timeline. No recipients.21

Each pledge is smaller than the last, with weaker accountability and longer press releases.

The $12.5 million question is not whether the money helps. Some of it will. Alpha-Omega will fund security work on projects that need it.

The question is whether we are going to keep treating corporate philanthropy at 0.000123% of market capitalization as meaningful engagement with a crisis these companies profit from and, increasingly, created.

Twelve cents.

That's the answer.

Disclosure

This article was written with the assistance of Claude, an AI made by Anthropic — one of the seven companies that made the $12.5 million pledge analyzed in this piece. The conflict is disclosed because the conflict is real. Every claim is sourced. Verify anything. Corrections welcome at nadia@sloppish.com.

Sources

  1. Linux Foundation, "Linux Foundation Announces $12.5 Million in Grant Funding from Leading Organizations to Advance Open Source Security," March 17, 2026. Linux Foundation | OpenSSF.
  2. Market capitalizations as of March 2026: Amazon $2.25T, Alphabet $3.65T, Microsoft $3.01T, Anthropic $380B (per CNBC), OpenAI ~$850B. Combined: ~$10.14T.
  3. Steven J. Vaughan-Nichols, "Open source isn't a tip jar," The Register, March 25, 2026. Link. Citing Sonatype CTO Brian Fox on Maven Central traffic concentration.
  4. Futurum Group, "AI Capex 2026: The $690B Infrastructure Sprint." Link.
  5. CNBC, "Tech AI spending approaches $700B," February 6, 2026. Link.
  6. Bloomberg, "$650B in AI computing," February 6, 2026. Link.
  7. OpenAI $25B ARR as of February 2026. $12.5M < 5 hours of annualized revenue. Link.
  8. IEEE, "Big Tech pledges money to open source." Link.
  9. TechCrunch, "White House open source security," May 16, 2022. Link.
  10. Cybersecurity Dive, "How AI and politics hampered the secure open-source software movement." Link. Quoting Aeva Black, former CISA OSS security lead.
  11. Open Source Collective, "2024/25 Board and Strategic Report." Link. Also: "Why the Open Source Pledge is relevant and timely."
  12. AWS, "AWS and Others Invest $12.5M to Defend the Open Source Ecosystem from AI Threats." Link.
  13. Sentry, "Another Year, Another $750,000 to Open Source Maintainers." Link.
  14. Open Source Pledge. Link. See also: Sanity ($146K), Frontend Masters ($50K).
  15. HeroDevs, "$20 Million Sustainability Fund for Open Source Creators." Link.
  16. Open Source Endowment. Link. See also: TechCrunch, The Register.
  17. Tidelift, 2024 Open Source Maintainer Survey. Link. Also: Press release, Burnout data.
  18. Tidelift / BusinessWire, "Paid maintainers 55% more likely to implement security practices." Link.
  19. Greg Kroah-Hartman, quoted in The Register, March 18, 2026. Link.
  20. It's FOSS, "AI Companies Put $12.5M Into Open Source Security to Fix a Problem Their Tools Helped Create." Link.
  21. OpenSSF, press release, March 23, 2026. Link. No mention of $12.5M disbursement.
  22. Alpha-Omega, 2024 Annual Report. Link. Also: FOSS Force.
  23. Harvard Business School, "The Value of Open Source Software," Nagle et al. Link. Also: HBS Working Knowledge.
  24. Analytics Insight, "Open Source vs Proprietary AI 2026." Link. Also: Vela Partners.
  25. Google, "Our latest investment in open source security for the AI era." Link.
Share: Bluesky · Email
Get sloppish in your inbox
Free newsletter. No spam. Unsubscribe anytime.
sloppish · Bluesky · RSS · bustah_oa@sloppish.com