When companies embed open source software within their commercial products, who should be held responsible when things go wrong?
The Log4Shell incident is a great example. There were many public displays of finger-pointing in the aftermath of the incident. This is the classic response to a big problem, with victims claiming it’s not their fault and vendors offering up solutions and prescriptions that, invariably, serve more as marketing than post-mortem analysis.
Here I’m sharing my answer to the question of who is responsible for open source software security, using Log4Shell as a case study. I’ll explain why in situations like this, certain security features like documentation should be managed by both maintainers and users, whereas testing for flaws should fall to user organizations.