Who Pays for FreeBSD?
TL;DR: Thirteen staff and roughly 19 contractors maintain an OS that Netflix, Sony, Apple, and Juniper build products on. The Foundation has been spending more than it raises for 3 years, reserves down from $5.8M to $4.0M. Many companies that benefit from FreeBSD contribute indirectly, or at levels hard to compare with how much they rely on it. The CRA will add compliance costs starting September 2026. Not because anyone’s being greedy. Because the incentives are broken and the behavioral research has understood this for decades.
Netflix runs FreeBSD in its streaming infrastructure, serving 300 million subscribers. Every PlayStation since the PS3 runs a FreeBSD-derived kernel: hundreds of millions of consoles. Juniper’s routers, WhatsApp’s servers, parts of Apple’s macOS and iOS: all built on or derived from FreeBSD.
The FreeBSD Foundation coordinates development with 13 staff (6 developers, 7 in leadership/operations/advocacy) plus roughly 19 contractors. They shipped FreeBSD 15.0 on schedule in December 2025: pkgbase, inotify compatibility, post-quantum cryptography (ML-KEM), OpenSSL 3.5. Plus conferences, corporate partnerships, and CRA compliance prep. Budget: about $2M/year.
Netflix alone made $33.7 billion in revenue last year.
The Foundation’s net income was -$854,000 in 2024. Reserves dropped $1.8 million in 3 years.
Starting September 2026, the CRA adds new compliance obligations on top of everything else. Not because the Foundation is mismanaging anything. Because many companies building products on FreeBSD contribute at levels that don’t match their reliance on it.
The Foundation reviews reserves regularly as part of budgeting. The goal: raise enough to match the year’s budget without drawing on reserves. Sometimes spending reserves intentionally makes sense, to keep momentum on key work. But reserves are supposed to buy time and flexibility, not become the business model.
I spent the past weeks going through the Foundation’s published P&L statements, their IRS 990 filings, their donor lists, and comparing what I found against behavioral psychology research on charitable giving. I also looked at what the CRA means for FreeBSD’s ecosystem.
I’ve maintained a fairly large open source project myself, and I know how quickly “people rely on this” turns into “someone else will pay for it.” I’m not a fundraising expert. I’m an infrastructure engineer with compliance experience, trying to understand how open source sustainability actually works by looking at real numbers.
The numbers
Financial data comes from the Foundation’s published P&L statements (2021-2025) and IRS 990 filings on ProPublica’s Nonprofit Explorer (2019-2020). The P&L reports, from the Foundation’s own accounting, give a clearer breakdown than the 990s, which bundle donations and investment performance into a single “total revenue” line.
| Year | Donations | Expenses | Investment Income | Net Income | Net Assets |
|---|---|---|---|---|---|
| 2019 | $2,267,428 | $1,092,042 | - | - | $5,473,615 |
| 2020 | $1,244,504 | $1,174,561 | - | - | $5,765,289 |
| 2021 | $1,281,437 | $1,260,643 | +$182,591 | +$203,592 | $5,818,368 |
| 2022 | $1,231,096 | $1,280,936 | -$340,655 | -$390,555 | $5,280,629 |
| 2023 | $1,268,896 | $1,928,906 | +$259,133 | -$400,126 | $4,880,502 |
| 2024 | $1,524,259 | $2,602,008 | +$224,582 | -$853,594 | $4,026,908 |
| 2025 (Q1-Q3) | $700,460 | $1,978,525 | +$147,733 | -$689,277 | TBD |
2019-2020: P&L reports not published. Donations and expenses from 990 filings, net income not shown (990 “total revenue” mixes donations with investment performance, making the comparison unreliable). 2021-2024: all figures from Foundation P&L. Net assets from 990 balance sheets for all years.
Two things stand out.
Donations have been growing since 2022: $1.23M to $1.27M to $1.52M. The 2024 number is the best since 2019. But expenses grew faster: from $1.3M to $2.6M over the same period. The Foundation invested in what FreeBSD actually needed - more developers, more platforms, better hardware support, CRA compliance preparation. Donations didn’t keep pace.
Investment income is volatile and doesn’t change the structural picture. In 2022 the stock market wiped out $341K. In 2023 and 2024 it added $225-259K. These swings affect net income year to year, but the core gap is between donations and expenses.
Part of the 2024 deficit comes from the FreeBSD Laptop Project: over $750K invested with Quantum Leap Research on Wi-Fi, USB4, Thunderbolt, and HDMI support. A deliberate bet on hardware compatibility. The Foundation is planning similar investment in 2026, so this isn’t a one-off spike.
The 2025 numbers through September show $700,460 in donations against nearly $2M in expenses. The Foundation’s own budget summary: “2025 expenses exceed projected revenue deliberately, using reserve funds.”
According to the Foundation, 2025 numbers are looking better than 2024. They also changed accounting firms, which delayed some quarterly reports. I’ll update this when the new numbers come out.
Fundraising goal for 2024: $2M, raised $1.52M (76%). In 2022: $1.4M goal, raised $1.23M (88%). Reserves dropped from $5.8M (2021) to $4.0M (2024). At the current rate, roughly 4-5 years of runway.
Who pays
The Foundation publishes its donor list organized by tier. Here’s what 2025 looked like:
| Tier | Companies |
|---|---|
| $250,000+ | Quantum Leap Research |
| $100,000-$249,999 | NetApp |
| $50,000-$99,999 | ARM, Juniper, Meta, Netflix |
| $25,000-$49,999 | Beckhoff |
| $10,000-$24,999 | AMD, E-CARD, Entersekt, Stormshield, Tailscale |
| $5,000-$9,999 | Framework Computer, Intel |
Now put that next to who actually builds products on FreeBSD:
| Company | FreeBSD use | Donation level | Corporate decision? |
|---|---|---|---|
| Netflix | CDN/streaming infrastructure | $50-99K | Yes, corporate donor |
| Juniper | JunOS (routers/switches) | $50-99K | Yes, corporate donor |
| Meta/WhatsApp | Server infrastructure | $50-99K | Yes, corporate donor |
| Sony | PS3/PS4/PS5 kernel (220M+ consoles) | $500-999 | No: employee match (PlayStation Cares) |
| Apple | macOS/iOS userland derived from FreeBSD | $250-499 | No: employee match |
| Cisco | Network products | $250-499 | No: employee match |
| Microsoft | Azure components | $1-5K | No: employee match |
| Infrastructure | $1-5K | No: employee match |
That contrast is the heart of this article.
Netflix, Juniper, and Meta contribute as corporate decisions. Maybe not at levels proportional to their FreeBSD use, but they show up clearly. Sony, Apple, Cisco, Microsoft, and Google also appear, but at tiers low enough that they probably reflect employee matching rather than corporate sponsorship.
The employer-matching question
A discussion on r/freebsd confirmed what I suspected: some “corporate” donations are actually employee donations matched by employers. One person donates, files a matching request, and the company appears on the donor list. A company at the $5,000-$9,999 tier might not have made any deliberate decision to fund FreeBSD. It could be one employee who cares, plus an automated matching policy.
I asked the Foundation about this. They confirmed they can usually tell the difference between direct corporate donations and employee matches, but matching gifts aren’t reported separately in the public donor list. Both types are mixed together.
The Koum donations
The largest donations in Foundation history came from Jan Koum, co-founder of WhatsApp. Grew up in government housing, learned to code on FreeBSD because it was free, got hired at Yahoo partly because they ran FreeBSD, built WhatsApp on FreeBSD servers. Facebook acquired WhatsApp for $19 billion in 2014. Koum donated $1 million that year, $500,000 more in 2016. The Koum Family Foundation appeared on donor lists through at least 2022.
$1.5 million from one grateful billionaire. More than what the Foundation raised in donations in any single year since ($1.52M in 2024). Without Koum, the reserve depletion would have started years earlier.
You can’t build a sustainability model around hoping one former user becomes rich, sentimental, and generous.
The challenge of attribution
Sony shows how hard it is to measure corporate engagement with open source when the money and engineering are routed indirectly.
The PS4 runs FreeBSD 9 (Orbis OS), the PS5 runs FreeBSD 11. Hundreds of millions of consoles. The donor list shows Sony at $500-999 through PlayStation Cares, an employee matching program.
But that may not be the whole story. Colin Percival (FreeBSD Release Engineering Lead, Tarsnap founder) commented in 2022 that “Sony has definitely paid for a significant amount of code in FreeBSD. Most or all of it was done very quietly though.” Contributions, if attributed at all, showed up under a consulting company name.
I tried to trace these contributions. Searching FreeBSD’s commit history for “Sponsored by: Sony” returns one commit (amd64: clear PSL.AC in the right frame). The consulting company Percival mentioned doesn’t appear in any searchable commit database. Sony also contributes to LLVM through their SN Systems team (300+ commits), which benefits FreeBSD indirectly since FreeBSD uses LLVM as its compiler. And decades ago, Sony employee Jun-ichiro Hagino (itojun) co-funded FreeBSD’s IPv6 implementation through the KAME project, but itojun died in 2007.
So the honest answer is messy. Some support may exist and still be nearly invisible in public records.
One more detail: Sony’s PS4 open source disclosure page lists about 80 packages, including “FreeBSD Kernel”, “BSD libc”, and “Network FreeBSD.” The PS5 page lists 6 packages. FreeBSD isn’t among them.
The BSD license gives Sony every right to do this. That’s the whole point of the license. Based on public data, there’s limited visible evidence of direct corporate financial contributions to the Foundation, though some work may happen through channels that don’t show up in public records.
The OpenBSD contrast
Now look at OpenBSD. The same companies that barely show up for FreeBSD give significantly more to the OpenBSD Foundation:
| Company | OpenBSD | FreeBSD |
|---|---|---|
| $50-100K (Platinum) | $1-5K (employee match) | |
| Microsoft | $25-50K (Gold) | $1-5K (employee match) |
| Meta | $50-100K (Platinum) | $50-100K (corporate) |
OpenBSD is smaller, Canadian non-profit (no US tax deduction), zero paid staff, ~$400K budget. Why the difference?
The simplest explanation is probably the right one: OpenSSH.
OpenBSD produces OpenSSH, and everyone knows what that is. It shows up in security audits and compliance checklists. The dependency is concrete and traceable. OpenBSD also produces LibreSSL and pf, same story.
FreeBSD’s value is different: infrastructure that gets absorbed into products and disappears. The PlayStation doesn’t say “Powered by FreeBSD” on the box. Netflix’s CDN doesn’t advertise it. Invisible value doesn’t trigger budgets.
Why this happens
It would be easy to call this corporate greed and leave it at that. But the funding gap follows patterns that behavioral scientists have studied for decades. These companies aren’t behaving irrationally. They’re behaving exactly as the research predicts.
One thing first: the BSD license is a deliberate philosophical choice, not a design flaw. The people who built FreeBSD chose maximum freedom. Anyone can use, modify, and distribute the code with no obligation to share changes or money. What follows is not an argument that BSD “should have been” GPL. It’s an observation that this kind of freedom creates a specific economic pattern, and that pattern is well-studied.
The free rider problem. Mancur Olson showed in 1965 that rational actors won’t voluntarily pay for public goods when they can benefit without paying (The Logic of Collective Action). The BSD license creates a textbook public goods scenario. The community made a conscious trade: maximum adoption and freedom, accepting that many users will never contribute back. That trade has worked: FreeBSD is everywhere. The Foundation carries the sustainability cost.
The bystander effect. Darley and Latane, 1968: the more people who could help, the less likely any one of them is to act. When Apple, Sony, Cisco, Microsoft, and Google all use FreeBSD, each one can assume someone else is funding it.
Invisible depletion. From the outside, FreeBSD looks fine. Public communications focus on accomplishments: conferences, FreeBSD 15.0 shipping on time. Year-end posts carry titles like “Powering the Future.” The Foundation is right to lead with its work, that’s what builds credibility. There are also conversations happening in private with corporate partners that the public doesn’t see. B2B fundraising doesn’t happen on donation pages.
The Foundation has acknowledged this. Quarterly financial reports are where the numbers get shared, but public updates focus on development progress because that’s what the community asks for. The information is there, just not where most people look.
From the perspective of a potential corporate sponsor who only reads the blog, there’s no visible signal that the Foundation needs help. When a shared resource shows no signs of depletion, nobody changes their behavior.
Nadia Eghbal’s 2016 Ford Foundation report Roads and Bridges put it well: open source infrastructure suffers from the same underinvestment as physical infrastructure, because it’s invisible until it breaks. FreeBSD is the road under Netflix and PlayStation. Nobody thinks about the road.
Contributions vs. giving back
Worth saying plainly: a lot of corporate “contributions” to FreeBSD are really maintenance of a company’s own dependency.
- Netflix improves the network stack they run on
- Microsoft writes Hyper-V drivers for their hypervisor
- Sony patches the compiler they use for their SDK
- Google writes gVNIC drivers for their cloud platform
This work benefits FreeBSD. In some cases, especially Netflix, it helps a lot. But it’s not the same thing as funding the shared work nobody can easily tie to one product manager’s budget: release engineering, security advisories, CI/CD, documentation, community coordination, operational costs. Everyone benefits from that work. Almost nobody wakes up wanting to pay for it first.
Fundraising with 13 people
One number jumped out when I read the Q1-Q3 2025 financials: $1,946 spent on fundraising in 9 months. For comparison, US nonprofits typically spend 15-25% of their budget on fundraising. For the Foundation, 15% would be roughly $300,000.
I asked about this. The number looked too low. They confirmed it isn’t the full picture: most fundraising cost is staff time, not the Fundraising-General line. Relationship building, donor conversations, campaign planning, all woven into other budget lines.
But the basic problem remains. Thirteen staff shipping an OS, managing CRA compliance, running conferences, coordinating contractors, doing corporate outreach. When you’re stretched that thin, fundraising gets squeezed. Not because they don’t care about it. Because there aren’t enough hours.
I also checked the donation page in March 2026. It has almost everything except what behavioral research says drives giving: suggested amounts (anchoring), impact framing (“$50 funds one day of CI infrastructure”), a progress bar, social proof. These things measurably increase giving. I wrote about this in more detail in a separate post on donation page design.
They’re engineers, not fundraisers. This is the kind of thing an outside contribution could help with: someone with UX or fundraising skills donating their time. Not everything has to be money.
What could change
The Foundation is doing what it can with what it has. The question is what the rest of the ecosystem could do.
Companies that ship FreeBSD could fund it. Netflix pays $50-99K as a corporate decision. Sony, Apple, Cisco show up through employee matching at $250-999. The partnership program exists: Platinum ($250K+), Gold ($150-249K), Silver tiers. In 2025, one at Platinum, one at Gold. For a project with this much industrial use, that’s thin.
The Foundation approaches known corporate users and asks them to support work that benefits them directly: security, CRA readiness, confidential computing. They also pitch the less visible infrastructure work. As they put it: it’s like roads and bridges, everyone depends on it, nobody wants to fund it until something breaks.
The community could contribute skills, not just money. Fundraising page redesign, grant writing, CRA documentation, financial analysis: skills that exist in the FreeBSD user community. An ICSE 2020 study (Overney et al., “How to not get rich”) found that very few open source projects receive meaningful donations, and those that do rarely communicate their financial situation clearly. The Foundation puts over 80% of its budget into program work (software development, infrastructure, advocacy). Someone with UX experience could build a better donation page in a weekend.
CRA compliance needs dedicated funding. The Sovereign Tech Agency grant ended (EUR 686,400, completed December 2025). The Foundation’s plan: grant funding plus support from commercial users affected by CRA requirements. CRA compliance requires dedicated staff time, tooling, and infrastructure that the Foundation currently doesn’t have budget for.
The Foundation has been clear about this: if a company profits from products that depend on FreeBSD, and the Foundation is doing the compliance work that reduces their risk, supporting that work is part of being a responsible participant. Companies that ship FreeBSD are manufacturers under the CRA. The Foundation does the steward compliance work. The manufacturers benefit.
Government funding can fill gaps. The STA grant proved the model works. With the CRA creating obligations for stewards, there’s a strong case for EU institutions to fund the compliance work they’re requiring. For anyone thinking a commercial solution will emerge: Tidelift raised $73.5 million in VC, spent 7 years trying “pay maintainers through enterprise subscriptions,” and got acquired by Sonar in December 2024 for its security intelligence, not its sustainability mission.
Visibility helps. Most FreeBSD users probably don’t realize the reserves are declining or that fundraising goals get missed. When I posted some of this data on r/freebsd, people donated immediately. The information itself was enough. Wikipedia runs fundraising campaigns because transparency works.
The CRA problem
Everything above is about the funding model as it exists today. The EU Cyber Resilience Act makes the timing worse.
The CRA entered into force in December 2024. Starting September 11, 2026, “open source stewards” must report actively exploited vulnerabilities within 24 hours, detailed reports within 72 hours, mitigation guidance within 14 days. Full compliance by December 2027. I wrote a more detailed overview in a separate post on the CRA and open source.
The Foundation has declared itself a steward and approved 6 CRA readiness workstreams in January 2026: security/vulnerability handling, SBOM toolchain, documentation, legislative engagement, public project repository, and communications.
One structural advantage: as a single steward for the entire OS, the Foundation has clear accountability, a coherent SBOM story, and one point of contact for regulators. Compare that with Linux, where “who is the steward for the kernel?” still doesn’t have a clean answer.
But there’s a real vulnerability. Release engineering is 100% volunteer-run. The Foundation provides developer support and infrastructure but doesn’t manage releases or the security team directly. If the key release volunteer is unavailable during a CRA vulnerability window, there’s no paid backup.
And this work is funded from reserves. The same reserves that have been shrinking for 3 years.
The Foundation already had to cut scope: community education, cross-project engagement, effectiveness measurement, all dropped. A Linux Foundation readiness survey (2025) found 62% of the open source ecosystem is unfamiliar with the CRA. 50% of stewards cite funding as their biggest gap.
Red Hat already has CVE Numbering Authority status and CSAF/VEX infrastructure. Canonical is marketing CRA compliance as an Ubuntu Pro differentiator. These companies absorb compliance costs as business expenses. The Foundation can’t.
And the companies shipping FreeBSD in their products (Netflix, Sony, Juniper) are classified as manufacturers under the CRA. Their compliance work doesn’t flow back to the Foundation.
I completed the Linux Foundation’s LFEL1001 course in March 2026 and started volunteering on the CRA workstreams through the ORC Working Group’s Cyber Resilience SIG, reviewing the EC’s draft guidance from a FreeBSD perspective. Years in compliance, years maintaining an open source project: this is where those two things meet.
The CRA turns a chronic funding problem into an urgent one.
What I don’t know
The Foundation answered several questions I sent them, which resolved most gaps in this analysis. One thing I can’t answer: what happens when they reach out to corporate users. How many say yes, how many don’t respond? That’s probably sensitive. But it would change the picture to know whether certain absences are “never asked,” “asked, no response,” or “asked and declined.”
Why I’m writing this
I’ve maintained an open source project and know how hard it is to sustain this work through donations. I spent years doing compliance work at IBM and Kyndryl, and I think the intersection of compliance and open source sustainability is going to matter a lot in Europe. So I’m doing the work and sharing what I find.
The Foundation does real work. FreeBSD 15.0 shipped on schedule. CRA compliance prep underway. Laptop hardware support expanding. Thirteen staff and ~19 contractors keeping an OS alive that powers a significant chunk of the internet. They’ve been at this for 20 years and were generous enough to engage with my research.
The data is all from public sources. The conclusions are yours to draw.
If you use FreeBSD, or your company does, look at the donor list, look at the financials, and ask whether the people maintaining this infrastructure are getting what they need.
The Foundation accepts donations here. They could use the help.
Sources: FreeBSD Foundation P&L statements and balance sheets (primary source for 2021-2025 financials), IRS 990 filings via ProPublica (2019-2020 and net assets), FreeBSD Foundation donor list, FreeBSD Foundation partnership program, FreeBSD CRA Readiness, Linux Foundation CRA Readiness Report, ORC Working Group. Academic references cited inline. Full research data available on simbiosi.org.
The FreeBSD Foundation answered questions for this article in March 2026. Their responses are integrated throughout the text above.