libxml2 maintainer ends embargoed vulnerability reports, citing unsustainable burden

The lone volunteer maintainer of libxml2, one of the open source ecosystem’s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech’s security demands without compensation or support.

[…]

Wellnhofer’s blunt assessment is that coordinated disclosure mostly benefits large tech companies while leaving maintainers doing unpaid work. He criticized the OpenSSF and Linux Foundation membership costs as a financial barrier to single person maintainers gaining additional support.
↫ Sarah Gooding

The problem is that, according to Wellnhofer, libxml2 was never supposed to be widely used, but now every major technology company with billions in quarterly revenue are basically expecting an unpaid maintainer to fix the security issues – many of which questionable – they throw his way.

The point is that libxml2 never had the quality to be used in mainstream browsers or operating systems to begin with. It all started when Apple made libxml2 a core component of all their OSes. Then Google followed suit and now even Microsoft is using libxml2 in their OS outside of Edge. This should have never happened. Originally it was kind of a growth hack, but now these companies make billions of profits and refuse to pay back their technical debt, either by switching to better solutions, developing their own or by trying to improve libxml2.

The behavior of these companies is irresponsible. Even if they claim otherwise, they don’t care about the security and privacy of their users. They only try to fix symptoms.
↫ Nick Wellnhofer

It’s wild that a library never intended to be widely used in any critical infrastructure is now used all over the place, even though it just does not have the level of quality and security needed to perform such a role. These are the words of Wellnhofer himself – an addition to the project’s readme now makes this point very clear, and I absolutely love the wording:

This is open-source software written by hobbyists, maintained by a singlevolunteer, badly tested, written in a memory-unsafe language and full ofsecurity bugs. It is foolish to use this software to process untrusted data.As such, we treat security issues like any other bug. Each security reportwe receive will be made public immediately and won’t be prioritized.
↫ libxml2’s readme

If you want libxml2 to fulfill a role it was never intended to fulfill, make it happen. With contributions. With money. Don’t just throw a whole slew of security demands a sole maintainer’s way and hope he will do the work for you.