Annual Software That Was Free Suddenly Discovers Security Holes

WordPress, MySQL, Linux, Python—. Small and medium enterprises (SMEs) are surprisingly dependent on open source software (OSS) for their IT infrastructure. From their own websites to customer management and internal tools, many companies are unknowingly supported by “free software” that forms their foundation.

However, that foundation is now quietly beginning to corrode. The cause is AI-generated code.

There has been a sharp increase in AI-generated code in pull requests on GitHub. With the proliferation of code generation AI like Copilot, the quality of code submitted to OSS projects has started to change. The problem is not whether the code is written by AI; it is that the amount of code being mixed in without review is increasing.

This may seem like a technical issue, but it is fundamentally a cost issue. What SME owners need to understand is simply this: “How much will the decline in OSS quality increase our IT costs?”

40% of AI-Generated Code Contains Security Flaws—What Is Happening?

A study published by a research team at Stanford University in 2023 found that about 40% of the code written by developers using AI coding assistants contained security vulnerabilities. What’s more troublesome is that developers using AI tended to overestimate the safety of their own code.

The strength of OSS has always been that “many eyes see the code.” This is known as Linus’s Law—”Given enough eyeballs, all bugs are shallow.” But what is the reality?

There is a chronic shortage of maintainers for major OSS projects. The Log4j vulnerability (Log4Shell) shocked the world in 2021, but the project was effectively maintained by just a handful of volunteers. What happens when a flood of AI-generated pull requests comes in?

The cost of reviews explodes.

In fact, several OSS maintainers have begun to voice their concerns, stating that “the increase in low-quality pull requests believed to be AI-generated is exhausting us just with the selection process.” In 2024, there was even a case where Linux kernel maintainers issued warnings against submissions of AI-generated code.

So, the structure is as follows:

1. The number of AI-generated code submissions increases.
2. The review burden on maintainers rises.
3. The quality of reviews decreases, or maintainers drop out.
4. Vulnerabilities are released into production without being addressed.
5. Security holes emerge in the systems of SMEs using that OSS.

Software that was “used for free” suddenly becomes a bundle of risks. This is what is happening now.

Another Risk—The Problem of AI Referencing “Phantom Libraries”

Another serious issue that is often overlooked is the phenomenon of AI referencing non-existent package names in the code, known as “package hallucination.”

A 2024 survey found that about 5.2% of the code generated by commercial LLMs imported packages that do not actually exist. Attackers can exploit this by preemptively registering package names that AI frequently “hallucinates” and embedding malware. If developers use the AI’s output as is, malicious code can be automatically installed.

This means that a new entry point for supply chain attacks is being mass-produced by AI.

Consider this in the context of SMEs. A contracted development company is writing code using Copilot. Is there a chance that libraries that should not exist are mixed in? Who is checking?

How Much Will IT Costs for SMEs Increase?—Three Realistic Scenarios

“So, how much will it ultimately cost our company?”

It is meaningless if we do not answer this question. Assuming a small company with about 30 employees operating two to three OSS-based web systems, we will estimate three scenarios.

Scenario 1: Minimum Defense (Annual Increase of 500,000 to 800,000 Yen)

• Implementation of SCA (Software Composition Analysis) Tools: Paid plans for tools like Snyk and Dependabot cost about 30,000 to 50,000 yen per month. This totals 360,000 to 600,000 yen annually. This is the minimum measure to automatically detect vulnerabilities in the OSS being used.
• Increased Labor for Vulnerability Response: A few hours of additional labor per month will be required. If outsourced, this could add about 10,000 to 20,000 yen per month, totaling 120,000 to 240,000 yen annually.

This represents a pattern of “continuing to use current OSS but increasing monitoring.” It is the most cost-effective option, but it does not provide a fundamental solution.

Scenario 2: Switching Some to Paid Software (Annual Increase of 1,000,000 to 1,800,000 Yen)

• Migrating CMS (like WordPress) to a Paid Managed Service: Monthly costs of 20,000 to 50,000 yen. Annual costs of 240,000 to 600,000 yen.
• Migrating the Database to a Managed Service: AWS RDS, Cloud SQL, etc. Monthly costs of 30,000 to 80,000 yen. Annual costs of 360,000 to 960,000 yen.
• SCA Tools: Annual costs of 360,000 to 600,000 yen (same as Scenario 1).

This is the phase where companies start paying for what they could use for free. However, since they can rely on the vendor for applying security patches and updates, operational burdens decrease.

Scenario 3: Post-Incident Response (Annual Increase of Over 3,000,000 to 5,000,000 Yen)

• Forensic Investigation: 1,000,000 to 3,000,000 yen per incident.
• Notification and Response to Customers: In cases of personal data breaches, the average cost per incident is in the hundreds of thousands of yen.
• System Modifications and Rebuilds: 1,000,000 to 2,000,000 yen.
• Reputational Damage: Impossible to quantify in monetary terms. However, it can be fatal for SMEs.

This is the worst-case scenario, but it is a reality that can occur if “nothing is done.”

Conclusion: Doing Nothing Will Be the Most Expensive Option. The minimum measures will cost 500,000 to 800,000 yen annually. Whether to see this as “insurance” will be the dividing line.

It Is Time to Face the Costs of “Free”

Open source will not die. However, the assumption that it is “free, safe, and maintained by someone” is beginning to crumble.

The influx of AI-generated code is placing structural burdens on the OSS community’s “goodwill ecosystem.” Maintainers are becoming exhausted, the quality of reviews is deteriorating, and the risk of vulnerabilities being mixed in is increasing. This is not about blaming someone; it is a structural change brought about by the evolution of technology.

SME owners should now consider three things:

1. Take stock of which OSS your company depends on.

Surprisingly, many companies have not done this. Simply asking your contractors, “Please provide a list of the OSS used in our system” is a good start.

2. Implement one SCA tool.

A free plan is acceptable. Snyk, Trivy, Dependabot. Set up a system to automatically check for known vulnerabilities in the OSS you are using. You can start for less than 10,000 yen per month.

3. Shift from “using it for free” to “making decisions based on operational costs.”

Even if the introduction cost of OSS is zero yen, the costs for operation, monitoring, and update responses are not zero. There will be more cases in the future where paying a few tens of thousands of yen per month for managed services will be cheaper overall.

We have entered an era where AI writes code. This cannot be stopped. However, we can consider “how AI-written code will impact the foundation of our systems.”

Free software is quietly starting to break down. Ultimately, the companies using it will pay for the repair costs. To avoid realizing this when it is too late, I hope you will start with what you can do today.