Open-source developers are suffering from burnout, fuelling supply chain risks for the 96% of enterprises relying on external code libraries.
According to a report by psychologist Miranda Heath, 73% of developers report burnout and 60% of open-source maintainers have considered walking away entirely. When these volunteers quit, the supply chain snaps. Downstream, that means unpatched vulnerabilities, orphaned dependencies, and a scramble to replace foundational tools.
We can no longer separate developer fatigue from enterprise security. The report links burnout directly to incidents like the XZ Utils hack, warning that exhausted maintainers become easy targets for malicious actors looking to plant backdoors.
“When maintainers burn out and are unable to steward it effectively, the functioning and security of this critical infrastructure is at risk,” Heath notes.
The economics of exhaustion
These supply chain risks come down to a broken value exchange. The software industry prints money, yet the architects of its base layer often work for free. Heath’s research, drawing on five months of interviews and analysis, identifies the difficulty of getting paid as a primary driver of open-source developer burnout.
For business leaders, this “market failure” creates a fragility in their stack. Developers are forced to work a “double-shift” by often maintaining popular libraries on nights and weekends alongside full-time employment. This “stealth job” results in intense workloads and sleep deprivation, eroding the physical and mental health of the very people securing and powering global infrastructure.
Marc Grabanski, the founder of Frontend Masters, frames the supply chain risk for the corporate sector starkly: “If you put purely economics first and aren’t conscious of the things that have enabled your success, then you end up just hurtling towards darkness.”
Toxicity and the entitled enterprise accelerate burnout of open-source developers
Abuse from corporate users compounds the financial stress. The research identifies toxic community behaviour as a major burnout accelerant, often driven by entitled users demanding immediate fixes for free software.
Corporate teams frequently treat maintainers like paid vendors rather than volunteers in a gift economy. Heath notes that users act as if open-source software were a standard market commodity, ignoring that it is often maintained by a single individual in their free time.
One developer, James Kyle, noted the impact of this relentless pressure: “The angry response has been overwhelming. Every single day I’m reading someone else rant about how awful of a job we’re doing. It’s been hard to stay motivated.”
This dynamic creates a “burnout death-spiral” for developers. Rudeness from users creates fatigue, which leads to slower responses or curt interactions from maintainers, which in turn fuels further toxicity. For an enterprise, the result is longer lead times on bug fixes and a higher risk that a key supply chain dependency will be abandoned by the open-source developers they rely upon.
Stabilising the open-source supply chain
Generative AI has only made the pile higher. Heath’s analysis suggests that AI tools allow contributors to generate code without understanding it, creating a flood of low-quality submissions.
Reviewing these machine-generated pull requests is described as “mind-numbing,” stripping the intrinsic motivation from the work. If AI tools continue to lower the barrier for low-quality contributions without improving review capacity, the noise in the ecosystem may drive senior maintainers away.
To secure their software foundations, organisations must look beyond simple donations. The most direct mitigation is financial: reliable payment removes the need for open-source developers to do a “double-shift” and restores the balance between effort and reward to reduce burnout.
The mechanism matters. Heath warns that the wrong payment models can introduce new supply chain risks, citing the recent RubyGems takeover where pressure to appease funders altered the project’s direction and stripped maintainers of control. Decentralised funding or collective governance offer better paths, ensuring maintainers retain creative autonomy while making a living.
Corporate engineering cultures must also shift from consumption to contribution. Heath recommends companies sponsor “community-focused events” that serve as “watering holes” where maintainers can build social support for open-source developers and their vital projects. Currently, such events are rare and expensive to attend, representing a low-hanging fruit for corporate sponsorship.
If enterprises want reliable infrastructure and to mitigate supply chain risks, they need to treat maintainers as partners, not infinite resources.
“Burnout is not just a problem for OSS developers, it is a problem for all of us,” Heath concludes.
See also: Gemini 3: Google enables new agentic AI workflows for developers
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events. Click here for more information.
Developer is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.