Libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable

The lone volunteer maintainer of libxml2, one of the open source ecosystem’s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech’s security demands without compensation or support.

In a post closing the issue on the project’s tracker, maintainer Nick Wellnhofer explained that triaging security reports, often of questionable severity, is taking “several hours each week,” time that he says is unsustainable for an unpaid volunteer.

“The basic idea is to treat security issues like any other bug," Wellnhofer wrote. "They will be made public immediately and fixed whenever maintainers have the time. There will be no deadlines. This policy will probably make some downstream users nervous, but maybe it encourages them to contribute a little more. The more I think about it, the more I realize that this is the only way forward.”

Wellnhofer’s blunt assessment is that coordinated disclosure mostly benefits large tech companies while leaving maintainers doing unpaid work. He criticized the OpenSSF and Linux Foundation membership costs as a financial barrier to single person maintainers gaining additional support.

"I've been doing this long enough to know that most of the secrecy around security issues is just theater," Wellnhofer said. "All the 'best practices' like OpenSSF Scorecards are just an attempt by big tech companies to guilt trip OSS maintainers and make them work for free.

"My one-man company recently tried to become a OpenSSF member. You have to become a Linux Foundation member first which costs at least $10,000/year. These organizations are very exclusive clubs and anything but open. It's about time to call them and their backers out."

Wellnhofer said he recently stepped down as libxslt maintainer and that it's unlikely that the project will ever be maintained again.

"It's even more unlikely with Google Project Zero, the best white-hat security researchers money can buy, breathing down the necks of volunteers," he said.

"In the long run, putting such demands on OSS maintainers without compensating them is detrimental."

A Growing Pattern Among Over-Burdened Maintainers#

Security professionals and fellow open source developers chimed in to support Wellnhofer’s stance, noting that the status quo relies too heavily on volunteers for critical infrastructure security.

“I think it’s the right decision to optimize for sustainability for the maintainers," commented Mike Dalessio, a contributor to other widely used XML libraries. "No objections from this downstream user.”

“Problem is many of these bugs will actually be exploited in the wild if we do this," warned Michael Catanzaro, a developer in the GNOME ecosystem. "Many extremely wealthy corporations have a stake in fixing libxml2 security issues, and they should help out by becoming upstream maintainers.”

Catanzaro suggested big vendors could either step up or risk public zero-day vulnerabilities when bugs hit the disclosure deadline without a fix.

Libxml2 ships with billions of devices worldwide, despite being maintained by a single volunteer. Its widespread adoption is a root cause of the problem, according to Wellnhofer:

He added that the big vendors’ approach amounts to avoiding responsibility for technical debt.

“These companies make billions of profits and refuse to pay back their technical debt, either by switching to better solutions, developing their own or by trying to improve libxml2," Wellnhofer said. "I’m not playing part in this game anymore.”

As a result, the new policy makes clear that libxml2 will no longer hold back security reports for coordinated disclosure. Wellnhofer said he's considering adding the following disclaimer for users:

Wellnhofer also responded to previous commenters, confirming that he is not, in fact, burning out, and would love to mentor new maintainers, "but there simply aren't any candidates."

The Limits of Volunteer Security#

The incident echoes broader sustainability issues in open source security. As Josh Bressers, VP of Security at Anchore, noted when sharing the news on LinkedIn:

Organizations relying on libxml2, which includes major operating systems and software stacks, may need to rethink how they support upstream maintainers, contribute fixes, or mitigate exposure to unpatched bugs.

In the meantime, Wellnhofer’s message is clear: treat libxml2’s security posture as you would any unmaintained hobby project and plan accordingly.

Wellnhofer’s decision is just one more crack in the brittle foundation propping up modern software. A single unpaid volunteer is pushing back against the same billion-dollar companies that depend on his hobby project to parse XML across billions of devices. His resignation from the dance of private disclosures and unpaid triage is a clear signal that open source security is buckling under expectations no one is paying to meet.

As survey after survey reveals the unpaid backbone of open source, most maintainers remain overworked and deeply aware that a single missed patch could ripple into the next global supply chain meltdown. Yet for all the post-xz headlines and government summits, too little has changed: the world runs on free labor, and the bill is coming due. If the industry won’t share the burden, it will have to learn to live with the risk.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Research

Security News

The Growing Risk of Malicious Browser Extensions