Pay per use.
Just today @bagder of Curl fame posted this:
If you are a multi billion dollar company and are concerned about log4j, why not just email OSS authors you never paid anything and demand a response for free within 24 hours with lots of info? (company name redacted for *my* peace of mind) pic.twitter.com/saumXAWPKO
— Daniel 🥌 Stenberg (@bagder) January 21, 2022
The business model of the large cloud providers is to sell services (mainly) based on Open Source Software providing great services (most of the time) to their customers. Their shrink wrapped software is based on or contain FOSS components - Windows 10/11 contains curl as well as OpenSSH. Many others including Aruba, BMC, Broadcom, Cisco, Citrix, and VMWare use Log4j. (See also https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md).
The harsh truth is that the corporations that relied on Log4j never paid a dime to the maintainers, while being so bad at CI/CD that they couldn't even tell us what versions they used where, nor how it was configured out of the(ir) box.
Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.
— sqlfeng (@sqlfeng) January 2, 2022
Worst of all, over the course of handling the Log4Shell incident, I heard people blame Open Source for this situation. Please, this is beyond stupid.
This needs to stop, and we must hold all companies responsible for the current state of affairs. I do not have the legal, nor financial, insight into whether or not it would be possible to demand that when you pay e.g. Microsoft for Windows, that a buck or two of that cost had to be forwarded to the maintainers of Curl (and others) but we need to "nudge" those corporations to do that to a greater extent.
Back to the intricate licensing models; Why not "just" add a clause, stating that every time you sell a product or use license containing/using e.g. Curl, a small percentage of that had to go to the maintainers. It wouldn't make the license less understandable (That's impossible for most of them anyway), ensuring that the maintainers get something for their efforts and can continue to maintain their project; to the benefit of everyone using it/relying on it!
And... Please do remember to pay for the FOSS used when building software and solutions inside your organization, if it's worth deploying, it's worth paying for.
Let me just end by saying that way waaaaaaaay smarter people have pondered this question, so please investigate this topic further yourself.