New York

October 15–17, 2025

Berlin

November 3–4, 2025

London

June 2–3, 2026

Who is responsible for open source security?

Lessons from the Log4Shell incident
February 28, 2022

When companies embed open source software within their commercial products, who should be held responsible when things go wrong?

The Log4Shell incident is a great example. There were many public displays of finger-pointing in the aftermath of the incident. This is the classic response to a big problem, with victims claiming it’s not their fault and vendors offering up solutions and prescriptions that, invariably, serve more as marketing than post-mortem analysis.

Here I’m sharing my answer to the question of who is responsible for open source software security, using Log4Shell as a case study. I’ll explain why in situations like this, certain security features like documentation should be managed by both maintainers and users, whereas testing for flaws should fall to user organizations.

Join LeadDev.com for free to access this content

Create an account to access our free engineering leadership content, free online events and to receive our weekly email newsletter. We will also keep you up to date with LeadDev events.

Register with google

We have linked your account and just need a few more details to complete your registration:

Terms and conditions

 

 

Enter your email address to reset your password.

 

A link has been emailed to you - check your inbox.



Don't have an account? Click here to register