The Unix utility that underpins privilege management across most Linux servers, macOS systems, and enterprise infrastructure is maintained by one person. And he's looking for help.
Todd C. Miller has maintained sudo, the command-line tool that controls how users execute commands with elevated privileges, since 1993. Quest Software sponsored development from 2010 until February 2024, when Miller left the company. He's been seeking a new sponsor since then.
Sudo updates haven't stopped. Miller continues shipping patches, including fixes for recent vulnerabilities that highlight why this matters. CVE-2025-32462, a host option flaw present for over 12 years, and CVE-2025-32463, which exploits chroot configurations to grant root access even without sudoers rules, both affect default configurations. The 2021 Baron Samedit vulnerability (CVE-2021-3156) was a heap overflow bug that existed for a decade across sudo versions 1.7.7 through 1.9.5p1.
This is the single-maintainer problem at scale. Sudo is foundational infrastructure, present in roughly 90% of Linux servers. When critical security tools depend on one developer's availability and funding, enterprise risk management becomes uncomfortably binary.
The industry has models for this. OpenSSL transitioned to multi-maintainer governance after Heartbleed. The Linux Foundation funds critical projects. Ubuntu hedged by switching to sudo-rs, a Rust rewrite, as default in version 25.10, addressing memory safety issues that plague the C implementation.
What this means in practice: CTOs running Linux infrastructure should audit sudo configurations now, prioritize patching to latest versions, and track Miller's funding search. If sudo loses active maintenance, the security implications cascade across your stack.
The pattern is clear. Critical open source infrastructure routinely depends on individuals who eventually burn out, leave, or can't continue without funding. We've covered similar situations with Ubuntu Unity and NGINX Ingress Controller. Sudo is just more fundamental.
Miller is still shipping. The question is for how long, and what happens if the answer is not long enough.