Jump to content

Securing the Fundamentals: Our Support for Log4j

By Powen Shiah

In Technologies

It is with great excitement that we announce the Sovereign Tech Fund's support of the continued development of Apache Log4j, a cornerstone in the architecture of Java-based software applications.

The Crucial Role of Log4j

Log4j is as one of the most widely-used logging libraries, integral to the functionality of nearly every Java-based software application. Its significance cannot be overstated, as it forms the backbone of logging mechanisms for countless digital systems worldwide. In December 2021, Log4j faced global scrutiny due to security vulnerabilities, a revelation that not only exposed potential risks but also served as a catalyst for the creation of the Sovereign Tech Fund.

Three maintainers prepared to focus on this open source project—two are leaving full-time positions to do so—are Christian Grobmeier, Piotr Karwasz, and Volkan Yazıcı, all members of the Apache Logging Services team and project management committee (PMC), the group that governs the Log4j project. Until now, the core maintainers, including prominent developers like Christian Grobmeier, had not received substantial financial support for their critical open source work.

More about STF and Log4j

"I only believed it was true when the funds arrived in my account. With this funding, we are finally able to give Log4j more attention, making it secure for all the people who rely on us."

— Christian Grobmeier, Log4j Maintainer and Member of the Apache Logging Project Management Committee

Addressing Neglect in Digital Infrastructure

The Log4j case epitomizes the neglect often faced by essential components of our digital infrastructure. Despite widespread attention and concerns about vulnerabilities, it marks the first time that a key contributor, Christian Grobmeier, has received financial backing for his dedication to critical open source projects.

This underscores the transformative impact that Sovereign Tech Fund's engagement makes in security for essential open source software components and the maintenance of our shared digital infrastructure.

“Some Log4j maintainers receive limited support from Tidelift or through GitHub Sponsors for their maintenance efforts. The amounts are mostly at a level that convey appreciation. No Log4j developers are funded to an extent which enables them to either work on the project full-time or accomplish the work STF is commissioning.”

— explains Mirko Swillus, STF Program Manager

Achievements so far

Since the Log4j team has been at work for a few months already, the first milestones are already making an impact on Log4j’s long-term viability.

  1. The team has started to implement a release pipeline: infrastructure, to release software automatically, faster, and more reliably.
  2. They have started to modernize the code base and dependencies, so everything is properly maintained and up to date.
  3. Finally, they have enabled a “Software Bill of Materials” (SBOM) and a “Vulnerability Disclosure Report” (VDR).

Both are new standards for understanding the software supply chain better, helping enterprises and users to understand if they are affected by published security vulnerabilities. At the Apache Software Foundation, the Log4j (logging) team is now among the first to implement this at this scale, allowing others to replicate.


Sovereign Tech Fund's Commitment

The Sovereign Tech Fund has commissioned this dedicated team of three developers for a comprehensive project improving Log4j, spanning from September 2023 through the end of 2024. This project involves 30 milestones, encompassing structural enhancements, security initiatives, maintenance, and documentation. The milestones and deliverables are recognized as addressing common pain points by the rest of the PMC. The team expects PMC consensus for the delivery of these features in the form of releases.

The Sovereign Tech Fund's commitment totals to €596,160 for this crucial project, reflecting our dedication to enhancing the security, reliability, and long-term sustainability of Log4j. The Sovereign Tech Fund is funded by the German Federal Ministry for Economic Affairs and Climate Action (BMWK).

“By focusing on structural improvements, security, and documentation, we’re putting Log4j on firmer footing going forward. It will become easier for new contributors to join the project, and for current maintainers to work more effectively.”

— Fiona Krakenbürger, STF Co-Founder

STF invites the global tech community to join us in supporting and recognizing the people doing invisible labor in open source, ensuring the resilience and robustness of the digital infrastructure we rely on daily. Together, we’re strengthening the digital foundations that enable innovation and progress.


More articles

All articles

  • Newsletter

    Read article: Newsletter: Fellow Interviews, EU-STF, OSPOs for Good Panel & Upcoming Events

    Email newsletter on 6 August 2025: We share two new in-depth interviews with Sovereign Tech Fellows Hugo van Kemenade and Matthias Klumpp and express our support for the recently published EU Sovereign Tech Fund feasibility study by OpenForum Europe. We’ve also adapted Adriana Groh’s remarks at UN Open Source Week in June into a more accessible blog post.

  • News

    Read article: Meet Sovereign Tech Fellow Matthias Klumpp

    Open source maintainer and PhD candidate Matthias Klumpp first got curious about Linux as a teenager with a very slow internet connection but big passion for computer systems. That curiosity sparked a journey into open source that continues to this day. In this interview, Matthias shares how coding for fun evolved into maintaining critical infrastructure for millions of users and why strong maintainership is essential for collaboration in diverse communities.

  • The Trusteeship Council Chamber at UN during the panel. Adriana Groh is projected on the overhead screen.
    News

    Read article: Innovation and Maintenance Are Two Sides of the Same Coin

    At the OSPOs For Good Summit during UN Open Source Week 2025, Adriana Groh spoke on the panel “The Role of Open Source in Digital Public Infrastructure” with Dr. Wolfgang Gehring, Miller Abel, Gabriele Columbro, and Franck Greverie. Here are her insightful remarks on digital infrastructure.