The recent outbreak of Log4j code execution vulnerability CVE-2021-44228 not only caused an uproar in the security circle, but also affected the entire Internet industry. However, the "initiator" of this vulnerability is an open source project with only three sponsors. Although there may be other donation channels that are not counted, the final number will not be much higher:
We can almost say that more than 99% of open source software developers in the world are actually using love to generate electricity. This is why we often see abandoned open source projects on Github, and this ratio is much higher in China than abroad. I think the main reason is that domestic programmers have a harder time in their daily work, and there is no reward for amateur work. , after the excitement in the initial stage, there is not much motivation to persist with the endless issues and demands.
My motivation for doing open source
I have insisted on updating Vulhub for 4 years. As for why I can persist, I summarized the following points:
For me Vulhub is a good medium to learn about the latest vulnerabilities and historical vulnerabilities, not just simple open source projects
I can gain more community influence from working on open source projects. For example, I have 4.6k followers on Github, which allows me to gain indirect benefits.
I have received long-term sponsorship from platforms such as NetSec, FireWire, and ProjectDiscovery. Historically, I have also received sponsorship from Changting Technology, cvebase, and Alibaba Cloud Prophet. Although it cannot provide a full-time job, Vulhub can be said to be better than most. Open source software is better
Open source experience is also an integral part of your resume.
I think if any two of the above four points can be satisfied, I can stick to open source. If I were asked to pick the two points that I am most grateful for, they must be the first and third, and the first is satisfying. The first is your own spiritual needs, and the third is your own material needs.
In addition to the above-mentioned platforms and companies that sponsor me, there are also some individual user partners who have provided me with free support. I would like to express my gratitude here:
You can find them on this page: https://github.com/sponsors/phith0n. I have coded the amount. Every amount of money is a contribution to the open source cause, no matter how much.
My open source project sponsorship budget
Of course, as a participant in open source projects, I know that it is difficult to obtain material income from open source projects. The only thing most people can easily obtain is point 4. Therefore, I will consider setting up an open source project sponsorship budget for myself. This idea came from another blogger's article I read "I set up an open source donation budget of $20 per month for myself", as early as when I came to Singapore. It started before.
My budget is probably no more than $30 per month. I will select sponsors based on the following criteria:
Items that I use more every day
Security related projects
Prefer personal projects rather than projects run by commercial companies, but this is not absolute
The prerequisite for my sponsorship is that the project must maintain long-term and stable updates and cannot be three-minute hot, so I will choose projects that have been updated for at least half a year. In addition, after the budget is exceeded, I may stop some existing sponsorships and sponsor new projects. The so-called rain and dew have been soaked.
At this stage, I am sponsoring the following three projects or individuals, and my budget is still not fully spent:
Django, the web development framework I use the most, goes without saying much.
Sameer Naik, this person has done several Docker-related projects, especially docker-gitlab, which has provided great help to Vulhub.
Swissky, which has open sourced many security-related tools and documents
Although a single person’s monthly sponsorship of US$2 or US$30 is not that much, after most people develop the habit of sponsoring open source, I believe that the authors of open source projects can also earn a considerable amount of income.
Build your own budget and sponsorship page
Students reading this, if you are a user of open source software, you can also set up an "open source software donation plan" like me and set a budget for yourself. Even if it is $5 per month, you may be able to sponsor 5 Open source project.
When sponsoring on foreign platforms, you may need to use Visa credit card or Paypal. Relatively speaking, Paypal is more convenient, and UnionPay cards can also be used. However, because there is no WeChat or Alipay, this is one of the reasons why it is difficult for many domestic students to sponsor open source projects. I hope that major platforms can access it as soon as possible.
If you are a contributor to an open source project, you can also actively set up your own sponsorship page to accept donations from everyone. Common sponsorship platforms include the following:
Github Sponsor, developers in mainland China are temporarily unable to open sponsorship channels. If you have a bank card from Hong Kong and other regions, you can create your own sponsored page by selecting Hong Kong as the region when opening.
Open Collective, supports withdrawal to Paypal or bank card
Patreon, supports withdrawal to Paypal or bank card
Buymeacoffee supports withdrawal to Paypal or bank card
iDianfa, a domestic platform, you can use Alipay or Paypal to collect payments
Finally, I believe that the log4j incident will still happen again in the future, but I hope that when that day comes, the authors of open source projects are fixing loopholes with their own worthwhile income, instead of using love to generate electricity.
If you like this article, click to read it before leaving~