While many of us wouldn’t think twice about buying software from a global hyperscale software vendor, open source software (OSS) has flown under the radar as a majorly important part of the software landscape for decades.Recent shifts in European attitudes, fuelled by geopolitical tensions and technological sovereignty concerns, has seen an increased focus on the desire to run open source software and back local vendors. A major advantage is the open nature of its development – anyone can inspect, modify and use it, and companies can distribute their own versions without the limitations and expenses of vendor lock-in.It’s so important that around 70% of modern software stacks are estimated to rely on open source components in some form – EXANTE sees it as a plumbing system that keeps software stacks together.But that very benefit could also be a disadvantage for corporate customers, because small groups of volunteers don’t have the same requirements as large corporations. While companies invest heavily in cybersecurity and resilience, visibility into open source software can be alarmingly low.AI is making underfunding even more pronouncedVibe coding has further complicated matters, with developers now able to write code more quickly and malicious actors leaning on those same AI coding tools to discover vulnerabilities and develop exploits.Without the commercial funding that hyperscale software receives, it puts OSS in a more vulnerable position. But given the importance of OSS for companies looking to build their own software stacks, many are now starting to see backing projects as an integral part of managing their risks.To discuss why the responsibility, or burden, of open source software sustainability is increasingly being picked up by enterprise customers instead of individual developers and contributors, I spoke with EXANTE CTO Richard Forss, who explained how AI is changing software development and cybersecurity strategies globally, and why businesses should treat it as critical infrastructure.EXANTE is also the company behind the Gecko Fund – a new €1 million grant programme to support critical open source software projects used across trading and financial data systems with grants of between €10,000 and €150,000 available – and the company believes that financial and technical support for open-source projects is now more important than ever.“We believe the industry that benefits from these tools should play a role in sustaining them,” Gecko Fund founder Anatoly Knyazev asserted.How broadly is open-source software used across fintech, and, namely, brokers? How exactly is it used?Open source is the foundation of modern fintech and brokerage businesses, but almost nobody talks about it. If you looked under the hood of any brokerage platform, ours included, you would find that about 70% of the critical stack is open-source.It powers the databases, operating systems, messaging layers, cloud infrastructure – the bits that quietly move millions of transactions a day. Clients never see any of it, which is rather the point.The reason we all use it is simple economics. Software is built in layers, and there is no sense in any one firm rebuilding the foundations from scratch. We use shared, battle-tested components for things like market data processing and risk infrastructure, and we spend our own engineering effort on the parts that are actually ours.It lets teams move quickly and solve complex architectural and engineering puzzles that would otherwise be out of reach.Why does the underfunding problem in open-source software exist, despite it being so widely used across the global economy?Because it works too well to notice. Open source behaves like a utility, the plumbing in the walls, and nobody thinks about the plumbing until it bursts. Millions of organisations rely on these tools every day, and for years, almost none of them paid a penny towards keeping them alive.More accurately, open source drives an estimated $8.8 trillion in global economic value. Yet, nearly two-thirds of the developers responsible for maintaining these widely adopted systems receive very limited financial support.Hundreds of thousands of organisations – from startups to huge enterprises – benefit from these tools every single day, but the actual responsibility for maintaining them stays with a handful of volunteers.Everyone relies on the infrastructure, but historically, almost no organisation has taken responsibility for paying for its upkeep.Why should businesses care if critical open-source projects are maintained by very small teams or individual developers?Because it is a single point of failure hiding in plain sight. We spend enormous amounts of money assessing vendor risk and operational resilience, scrutinising suppliers, war-gaming outages, and then the whole edifice can rest on a library maintained by one or two exhausted people you have never heard of.Our first Gecko Fund grant went to Kryo, an open-source data serialisation tool used all over the world in high-performance and trading environments. For years, it has been kept going by two people on two different continents, with no outside funding at all. They do excellent work – and that is, of course, not the problem. The problem is that it is two people. If one of them burns out, or simply does not have a free evening to patch a serious flaw the moment it appears, the consequences do not stay neatly within their project. They ripple out into regulated markets that have no idea they were depending on them.How is AI changing the risk profile of open-source software and cybersecurity?AI has put its foot on the accelerator, and it is pressing down on both cars at once. On our side, it genuinely helps. It spots bugs, speeds up code review, catches things early. The problem is that the people trying to break in have exactly the same tools.Bad actors use AI to scan open-source codebases, identify vulnerabilities, and launch targeted exploits much faster than before. The time between a flaw being discovered and an active attack being launched is continuously shrinking.This puts intense pressure on underfunded maintainers to deploy fixes instantly. Since AI scales these threats so effectively, the security of the underlying open-source ecosystem has become a systemic priority. Which parts of the open-source ecosystem are most vulnerable to underinvestment today?It’s not the famous projects. Mostly the dull ones. The risk lives in the deep, unglamorous code: I’m talking about the low-level libraries, the developer tooling, the APIs – developer tools that operate entirely out of sight. The components that never trend on anything and never will.That is precisely why they go unfunded. They do not make headlines, so they do not attract sponsors or donations, and yet they are wired into thousands of commercial products.It is the paradox of the whole industry. The more essential a piece of software is, the more invisible it tends to be. When one of those hidden libraries fails, it does not fail for one company. It fails for everyone at once.How do you think this gap can be bridged? What measures can businesses take to mitigate possible risks?Stop calling it a hobby and start treating it as infrastructure, because that is what it is. The first thing any firm should do is the unglamorous work of auditing its own supply chain and understanding exactly which open-source components it actually depends on. Most have never properly looked. Once you know what you are standing on, you have to hold it up. But money is not the only currency – firms can contribute engineering time, security audits, testing environments, or documentation. The goal is to make the relationship mutual: if your business profits from these tools, your business should help keep them safe.What infrastructural changes can be made to make open-source software more sustainable?The corporate world needs to stop expecting critical infrastructure to be maintained by someone giving up their weekends. That is the change. Everything else follows from it.It is starting to shift. There are sovereign technology funds now, government-backed efforts, industry groups forming around open-source standards. That is encouraging.But finance, of all sectors, ought to be leading rather than waiting, because finance has more to lose than most if this plumbing fails. If we formalise how companies contribute and build proper structures for funding this work, then the people holding up the machinery behind global commerce might finally get the stable backing they need to keep the markets running. They have earned it several times over.