Acquirer finds hidden SSPL risk in a target before close.

Situation

A mid market private equity acquirer was nearing close on a vertical software company that served regulated customers. The target was a mature business with a clean technical reputation, and the standard diligence stream had returned no material flags. Code quality looked sound, the security review was unremarkable, and the legal team had received the usual representation that the target's software was free of problematic licenses. On paper the open source question was settled. The acquirer engaged us to run an independent, buyer side review of the target's open source license exposure as a final check before signing.

The exposure that triggered the review

The concern was structural rather than specific. Open source enters a company through engineering, and its license terms can change long after adoption. A representation that a stack is clean reflects what the target believes it adopted, not necessarily what the components have become. Several widely used projects had relicensed in recent years, including the move of Elasticsearch and Kibana to the Server Side Public License and the Elastic License in 2021. If the target had deployed any of these before the change and never refreshed its records, the exposure would be invisible to a standard review and very real in production.

Approach

We resolved the target's full dependency tree from its manifests, lockfiles, and built artifacts, then reconciled what was declared against what actually shipped. Rather than trust the recorded license for each component, we checked the current license state of every node as of the date of the review. The work concentrated on the transitive layer, the components the target never chose directly but inherited through something it did, because that is where relicensing exposure most often hides. Each finding was tagged with where it ran, how it was deployed, and what the change in terms meant commercially.

The map surfaced what the standard stream had not. A search and analytics component, adopted years earlier under an open license, was running under the Server Side Public License inside a customer facing service. The target's own register still showed the original license. Because the Server Side Public License is source available rather than open source and is not approved by the Open Source Initiative, and because its service provider terms can reach the surrounding software used to deliver a service, the deployment created a commercial exposure that materially changed the open source picture of the deal.

Outcome

We sized the exposure and the cost to cure. The cleanest route was a migration to the AWS led fork OpenSearch, which preserved the function under an open license, and we estimated the engineering effort and the elapsed time to complete it. That figure, a defined remediation cost rather than an open ended liability, went to the negotiating table. The acquirer reflected it in the price and in the reps and warranties, so the risk was carried by the right side of the deal. The exposure that standard diligence valued at zero was priced in the low six figures of remediation effort, a number the deal model absorbed without difficulty precisely because it was found before signing rather than after.

Had the same component surfaced after close, the acquirer would have inherited it in full, with no leverage and a vendor on the other side of the conversation. Found during diligence, it became a routine adjustment. The difference was timing, and the only thing that changed the timing was looking at current license state across the full tree.

Lessons for buyers

A representation that a stack is clean is a statement about the past, not the present. License state moves, and a component adopted under an open license can carry the Server Side Public License today. Standard diligence rarely resolves the full transitive tree or checks current state, which is exactly where relicensing exposure lives. The remedy is independent, buyer side mapping run before signing, when a finding is leverage rather than a write down. An unpriced risk is a transferred risk, and in a transaction the acquirer is the one it transfers to.

For how this analysis is run on a live transaction, see our open source M and A due diligence service. For the broader frame, read the M and A and compliance guide, and browse more case studies on contained exposure.