--- title: "The Sustainability Crisis: Who Pays for the Internet's Video Infrastructure?" author: "Cutsio Team" date: "2026-05-14" lastmod: "2026-05-14" category: "Video Technology" excerpt: "FFmpeg has 10 to 15 core maintainers. It is probably one of the biggest CPU users in the world. After years of public pressure, donations still cannot cover a single full-time developer. The XZ fiasco, the Google security debacle, and the Microsoft Teams incident all point to the same problem: the internet's video infrastructure is maintained by volunteers, and that is not sustainable." tags: ["FFmpeg", "Open Source", "Sustainability", "Funding", "Maintainer Burnout"] --- ## What is the open source sustainability crisis in video technology? The open source sustainability crisis in video technology is the growing gap between the critical importance of projects like FFmpeg, VLC, x264, and dav1d — which power video on billions of devices — and the minimal financial and human resources available to maintain them, leading to maintainer burnout, security risks, and eventual project abandonment. The scale of the problem is hard to overstate. FFmpeg has roughly 10 to 15 core maintainers. The same small group of people is responsible for maintaining millions of lines of code that run on an estimated three billion devices. VLC's core team is even smaller — about five people. These are not the worst cases. The XZ project, which provides compression used by virtually every Linux distribution, was maintained by a single person. The consequences of this imbalance are not theoretical. The XZ backdoor — the most serious supply chain attack ever discovered in open source — succeeded because a single maintainer was burned out, overworked, and manipulated into giving commit access to a malicious actor. The attacker exploited the maintainer's exhaustion. The same dynamic applies across dozens of critical projects. "The most challenging and most interesting part of open source today is maintainer burnout," JB Kempf explains. "Daniel Stenberg, the maintainer of curl, is against what he calls AI slop because it gives a ton of fake reports, bad reports, bad patches. A lot of maintainers have a lot of burden. This is straining the open source community much more than forks." ## How bad is the funding situation for FFmpeg and VLC? The funding situation for FFmpeg and VLC is severe — after years of high-profile public campaigns and increased awareness, donations are still not enough to cover even a single full-time developer's salary, let alone the 10 to 15 maintainers the project needs. Kieran Kunhya is direct about this: "Donations have increased substantially. They are still not enough to cover even a single full-time developer." This is after the Google AI security debacle, the Microsoft Teams callout, and years of the FFmpeg account raising awareness on social media. The projects have some funding sources. VideoLAN receives donations and has some corporate sponsorship. FFmpeg has a donation system. Both projects participate in Google Summer of Code, which funds student contributors. Some companies contribute patches in areas that benefit their products — Google contributes to VP9 and AV1, for example. But the gap between what the projects need and what they receive is enormous. A single full-time developer working on FFmpeg costs roughly $100,000 to $200,000 per year in salary and benefits. The project needs multiple such developers. The total donations from all sources combined do not cover this. This is fundamentally an allocation problem. The companies that depend on FFmpeg — and they include virtually every major technology company — derive enormous value from it. Google alone uses FFmpeg across YouTube, Chrome, Android, and cloud services. The engineering cost of replacing FFmpeg with an in-house solution would be tens of millions of dollars. Yet the contributions from these companies are a fraction of that. ## What is the maintainer burnout crisis? The maintainer burnout crisis is the slow-motion collapse of open source projects as their small core teams become overwhelmed by the volume of bug reports, feature requests, security issues, and AI-generated spam — leading to exhaustion, abandonment, and security vulnerabilities. The burnout crisis has multiple causes. The volume of work is immense and growing. Every new codec, every new platform, every new security scan generates more work for the same small group of people. AI-generated bug reports have made this dramatically worse — a single AI tool can generate more reports in a day than the maintainers can triage in a month. The emotional toll is severe. Maintainers receive constant criticism. Users file bug reports with demanding language. Security researchers publish alarming CVEs. Companies file urgent tickets expecting immediate fixes. The work is invisible — when everything works, nobody thanks the maintainers. When something breaks, the criticism is intense. "There is one guy maintaining all the time zones for everyone in the world," JB points out. "The mental health of open source maintainers is something that large corporations do not care about or do not see." The XZ attack was the most visible manifestation of this crisis. A single maintainer, Lasse Collin, was subjected to sustained social engineering over multiple years. The attacker sent seemingly helpful patches, engaged in长时间的 email exchanges at odd hours, and gradually exhausted the maintainer to the point where he granted commit access. The attack was discovered by chance — a volunteer noticed that SSH logins were taking slightly longer than expected. ## Why do trillion-dollar companies not pay for the infrastructure they depend on? Trillion-dollar companies do not pay for the infrastructure they depend on because there is no invoice — open source projects do not send bills, and the cost of using the software without paying is zero, creating a collective action problem where every company benefits but none wants to be the first to pay. The problem is structural. When a company uses a commercial vendor, there is a procurement process. A salesperson calls. A contract is signed. An invoice is sent. Payment is made. The cost is budgeted. When a company uses open source, there is no procurement process. An engineer downloads the software and uses it. The cost is zero. There is no trigger for the organization to ask: "Should we be paying for this?" The companies that contribute do so through specific channels. Google funds Summer of Code students who work on FFmpeg. They contribute code to VP9 and AV1, which benefit their products. But these contributions are a tiny fraction of the value they derive from the project as a whole. The comparison with the security industry is instructive. Security researchers who find vulnerabilities are rewarded with bounties, conference speaking slots, and career advancement. The developers who fix those vulnerabilities receive nothing. Alex Strange's viral Hacker News post captured this perfectly: "Nobody is going to do any of that for you when you fix it." ## What positive changes have come from the public pressure? Positive changes from the public pressure include Google starting to send patches alongside vulnerability reports, increased donations, greater awareness of FFmpeg's importance, and more responsive engagement from large companies when issues are raised publicly. The most concrete change is in Google's behavior. After the public backlash, Google began including patches with their security reports. They also introduced reward programs that cover the fixing side of the equation, not just the discovery side. The change was a direct result of public accountability. Donations increased substantially after the high-profile incidents. While still insufficient, the upward trend is real. More people now understand what FFmpeg is and why it matters. The awareness shift has been significant. Before the FFmpeg account started its advocacy, most people in the video industry did not know that FFmpeg was developed by volunteers. The idea that the codec powering their exports was maintained by a handful of people in their spare time was genuinely surprising. Now it is widely understood. The spicy tweet strategy has been validated. "Unfortunately, we are so small that the only strong power we have is blaming on social network, because it snowballs and now they listen to us," JB explains. This is not ideal, but it works. ## How can the video industry contribute to a sustainable future? The video industry can contribute to a sustainable future by making recurring financial contributions proportional to usage, assigning engineering time to maintain the projects they depend on, establishing Open Source Program Offices, and treating maintainers as partners rather than vendors. The most effective contribution is recurring funding. A one-time donation helps, but what projects need is predictable, ongoing support. A company that uses FFmpeg extensively should budget an annual contribution that reflects the value they derive. For a mid-size video platform, this might be $10,000 to $50,000 per year. For a large company like Netflix or YouTube, it should be substantially more. Engineering time is equally valuable. When a company assigns engineers to work on FFmpeg, they get multiple benefits: the bugs they care about get fixed, their engineers build deep expertise in the technology, and the relationship with maintainers shifts from adversarial to collaborative. Open Source Program Offices help bridge the gap between corporate processes and community norms. An OSPO understands that open source projects are not vendors. They know how to file useful bug reports, send patches, and engage constructively. | Action | Impact | Difficulty | |---|---|---| | Recurring donations | Enables long-term planning | Easy (financial) | | Assign engineering time | Directly improves the project | Medium (requires hiring) | | Establish an OSPO | Improves all open source engagement | Hard (organizational) | | Send patches with bug reports | Reduces maintainer burden | Easy (technical) | | Publicly acknowledge dependencies | Raises awareness | Easy (cultural) |

Sustainable tools for sustainable creativity.

The open source infrastructure that powers video on the internet needs your support. Cutsio is committed to the same principles: build excellent tools, respect the user, and contribute to the ecosystem. Upload your footage, get AI-powered pre-processing with silence removal and transcription, and export clean XML to your NLE.

Try Cutsio Free

No credit card required. 60 minutes of free processing.

## FAQ **How can I support FFmpeg and VLC?** You can donate directly through the projects' official websites. FFmpeg accepts donations at ffmpeg.org/donations. VideoLAN accepts donations at videolan.org. Every contribution helps, and recurring donations are especially valuable. **Why does FFmpeg not charge companies for commercial use?** FFmpeg is licensed under the LGPL and GPL, which allow free use. The project's community model means that changing the license would require every contributor's consent — a practically impossible task given the project's history. **What happened in the XZ backdoor attack?** A single maintainer of the XZ compression library was socially engineered over multiple years by a malicious actor who gradually gained commit access and inserted a backdoor into SSH. The attack was discovered by a volunteer who noticed anomalously slow SSH logins. **How many people maintain FFmpeg?** FFmpeg has approximately 10 to 15 core maintainers. Thousands of developers have contributed over the project's history, but the long-term maintenance burden falls on this small group. **Is the sustainability crisis getting better or worse?** Awareness is improving, and donations have increased, but the gap between what projects need and what they receive remains enormous. AI-generated bug reports are adding to the burden faster than funding is growing.