OpenSource Risk Experts
Map your blast radius

CASE STUDIES

Open source risk case studies: what a contained blast radius looks like.

These open source risk case studies are composite, anonymized engagements drawn from real relicensing events. No logos, no attribution, and outcomes are described directionally to protect client confidentiality. They show how exposure is mapped, quantified, and contained.

RELICENSING

HashiCorp and TerraformBSLAs of August 2023

A platform team discovers Terraform sits under every deployment they own.

SITUATION

The move to the Business Source License reached a component embedded across every pipeline. Usage that was routine the day before now sat under terms legal had never reviewed.

WHAT WE DID

Mapped every dependent surface, separated competitive use from internal use under the BSL, and sequenced a migration of the genuinely exposed paths.

OUTCOME

Exposure scoped from the whole estate to a defined, defensible subset, with a costed plan for the remainder.

All

pipelines flagged at first

A few

genuinely exposed paths

Weeks

to a contained estate

Redis and ElasticSSPLAs of 2021 and 2024

Two data layers relicense, and a SaaS provider has to know if it offers them as a service.

SITUATION

The SSPL turns on how software is offered, not just how it is used. The provider needed certainty about which deployments crossed the line the license draws.

WHAT WE DID

Traced each managed offering to its data layer, classified exposure against the SSPL service condition, and identified drop in forks under permissive terms.

OUTCOME

A clear answer per offering and a reroute to maintained, permissively licensed alternatives where it mattered.

Sized

exposure quantified per offering

Targeted

offerings rerouted where it mattered

Most

of flagged use cleared as safe

ADVISORY

RemediationCONTAINMulti quarter program

A bank draws the boundary, then reroutes around the contained zone.

SITUATION

Several relicensed components were spread across business critical systems with no map and no owner for the risk.

WHAT WE DID

Drew a containment boundary around the affected zone, froze new adoption inside it, and rerouted dependent services to safe paths on a sequenced timeline.

OUTCOME

Spread halted at the line, with an owned policy that catches the next relicense at intake.

Full

dependency tree mapped

All

affected components contained and rerouted

0

unmapped relicensed nodes remaining

M and A Due DiligenceDEALPre close diligence

An acquirer prices relicensing risk into the deal before signing.

SITUATION

A target's product leaned on source available components whose terms could constrain the combined entity's go to market.

WHAT WE DID

Reviewed the target's dependency tree during diligence and delivered a red flag memo with a costed remediation estimate.

OUTCOME

The exposure was reflected in the price and the post close plan, with no surprises after signing.

Priced

remediation cost surfaced pre close

Days

from data room to red flag memo

Each engagement maps to a service: the assessment and relicensing exposure review behind the first two, remediation and governance behind the bank, and M and A due diligence behind the last. Your tree has a story like these in it.

COMMON QUESTIONS

Questions buyers ask.

Are these open source risk case studies based on real clients?

They are composite, anonymized engagements drawn from real relicensing events. We never name clients or use logos, and outcomes are described directionally to protect client confidentiality.

What relicensing events do the case studies cover?

They span the HashiCorp move to the Business Source License as of August 2023, the Redis and Elastic moves to the SSPL, remediation programs, and M and A due diligence on source available components.

How long does a containment engagement take?

It depends on the size of the tree and the spread of the affected components. The composite timelines here run from a few weeks for a scoped estate to a multi quarter program for a large bank.

Can you share references?

Engagements are confidential by default. We can discuss the shape of relevant work without identifying any party. Contact us for a scoped conversation.

MORE IN THIS CLUSTER

Explore more from this guide.

CASE STUDIES

Enterprise Forks Instead of Paying, Saving 71%

 CASE STUDIES

Enterprise Removes Lock In After a Relicense

CONTAINMENT

Map your blast radius before it spreads.

A confidential open source license risk assessment. Independent, buyer side, paid only by you.

Not ready to talk? Read the free open source license risk guides first.

Map your blast radius