OpenSource Risk Experts
Map your blast radius

OPEN SOURCE LICENSE RISK

The software you depend on can change the rules overnight.

Open source license risk is real. Open licenses are quietly becoming source available, and the terms you adopted may not be the terms you run today.

Map your blast radius

SCROLL. ONE NODE IS ABOUT TO FLIP.

THE RELICENSE EVENT

When an open source project relicenses, the risk propagates to everything you built on it.

HashiCorp moved Terraform to the Business Source License. As of August 2023.

Redis moved to the SSPL and the RSALv2. As of March 2024.

Elasticsearch and Kibana moved to the SSPL. As of 2021.

THE HIDDEN EXPOSURE

Most enterprises have never mapped their blast radius.

So the exposure stays invisible until a vendor or an auditor finds it first. The red is already in your tree, buried layers down.

CONTAINMENT

We draw the boundary. The spread stops at the line.

Risk is isolated. Safe paths reroute around the contained zone, and you regain control of your own dependencies.

Map your blast radius

A confidential open source license risk assessment.

WHAT WE DO

Assess. Quantify. Remediate.

Assess

We map every open source dependency you run and the license state of each one.

Quantify

We size the exposure and the cost to cure, in terms your board will recognize.

Remediate

We contain the risk and reroute to safe alternatives or negotiated terms.

Explore the full set of engagements on our open source license risk advisory services, or start with a confidential risk assessment.

WHY INDEPENDENT

No vendor. No reseller. No incentive but yours.

We are paid only by you. The advice you receive is the advice you need, not the product someone needs to sell.

THE RED GIANTS

The projects driving the risk.

The largest nodes in the network. Each carries a license that has already changed.

BSL

HashiCorp

Terraform and the HashiCorp stack moved to the Business Source License. As of August 2023.

SSPL

Redis

Redis moved to the SSPL and the RSALv2. As of March 2024.

SSPL

Elastic

Elasticsearch and Kibana moved to the SSPL. As of 2021.

SSPL

MongoDB

MongoDB moved to the SSPL. As of 2018.

HOW WE WORK

Independent by design, on every engagement.

100%

buyer side. Paid only by you.

0

vendor fees or reseller margins

BSL·SSPL·AGPL

the license families we map cold

Engagement figures are confidential. We map, quantify, and contain exposure across the relicensing wave.

COMMON QUESTIONS

Open source license risk, answered.

What is open source license risk?

Open source license risk is the exposure an enterprise carries when software it runs in production changes its license terms. When a project relicenses from an open source license to a source available license such as the Business Source License or the Server Side Public License, competitive use restrictions, copyleft obligations and commercial license demands can apply to software already running in your environment.

Which open source projects have changed their license?

HashiCorp moved Terraform, Vault, Consul, Nomad and Packer to the Business Source License as of August 2023. Redis moved to a dual Redis Source Available License and Server Side Public License model as of March 2024. Elasticsearch and Kibana moved to the SSPL and the Elastic License as of 2021. MongoDB moved to the SSPL in 2018. Confirm current terms with your own counsel.

Is source available the same as open source?

No. Source available is not the same as open source. The Server Side Public License and the Business Source License are not OSI approved open source licenses. The source may be readable, but the terms restrict competitive production use and can carry distribution and commercial obligations that open source licenses do not.

How do I assess my open source license risk?

Start by mapping every open source dependency you run and the current license state of each one, including transitive dependencies layers down in the tree. Then quantify the exposure and the cost to cure, and contain it by rerouting to safe alternatives or negotiating commercial terms. A confidential open source license risk assessment maps this blast radius for you.

Do you provide legal advice on license compliance?

No. We provide commercial and licensing risk advisory, not legal advice. We map exposure and quantify cost from the buyer side. For interpretation of license terms and compliance questions, we always recommend you engage your own counsel.

CONTAINMENT

Map your blast radius before it spreads.

A confidential open source license risk assessment.

Map your blast radius

INDEPENDENT. BUYER SIDE. PAID ONLY BY YOU.