CASE STUDY / ANONYMISED COMPOSITE
A vendor defends an open source compliance claim.
This anonymised composite case study follows a company that defends an open source compliance claim by meeting an open ended audit inquiry with a defensible record, turning a vague accusation into a bounded, answerable question.
Situation
The company was an established enterprise that ran a large estate of open source software across many teams. It had adopted most of its components years earlier, under the licenses in force at the time, and had grown through acquisition, which left several code bases with histories no single person fully knew. The software ran reliably, and no one had reason to revisit the terms until a letter arrived.
The exposure that triggered the work
A software vendor sent an open source compliance claim asserting that the company was using a relicensed component outside the terms of its license and requesting broad information about deployment, alongside a suggestion that a commercial license was now required. The claim was framed in open ended language, the kind that invites a sprawling internal search and a settlement driven by uncertainty rather than facts. The company could not immediately say which versions it ran, when each had been adopted, or under which license, which is precisely the position a claim like this is designed to exploit. The general counsel needed a factual foundation before responding, and needed it fast.
Approach
We began by building the evidence record, working alongside the company own counsel who led the response. A software composition analysis pass mapped every place the named component appeared, direct and transitive, and recorded the exact version of each instance. We then reconstructed the adoption history from version control and build records, establishing when each version had entered the estate and which license governed it at that time. Because the license in force governs the versions adopted under it, this timeline was the core of the defense.
The record showed that most of the deployment ran versions taken under the earlier open source license, well before the relicense, and that those versions kept their original terms. A small number of instances ran newer versions, and for those we mapped the precise use so counsel could assess whether any of it crossed the boundary the claim alleged. The result was a clear separation between the use the claim did not reach and the narrow slice that warranted attention, each backed by evidence rather than assertion.
We assembled the findings into an evidence pack and a position memo that counsel could use directly: what the company ran, in which versions, since when, and under which terms. The aim throughout was to answer precisely what the claim asked, neither volunteering more than necessary nor leaving a question open that the company could not support with a record.
Outcome
With the evidence in hand, the company counsel responded to the claim from a position of fact rather than uncertainty. The bulk of the alleged exposure fell away, because the versions in question were governed by the earlier open source license. The narrow remaining slice was addressed on its merits, and the conversation that had started as an open ended demand became a bounded, technical discussion. The company avoided a settlement framed by fear and resolved the matter on terms proportionate to its actual use. It also kept the evidence record as a standing asset for any future inquiry.
Lessons for buyers
Three lessons carry to other buyers. First, evidence beats argument. A claim framed in open ended language loses its force the moment you can state precisely what you run and since when. Second, the version history is the defense. Because the license in force governs the versions adopted under it, a credible adoption timeline often dissolves most of an exposure that looked large at first. Third, the record should exist before the claim. The companies that respond calmly are the ones that already hold a current software bill of materials, not the ones that build it under deadline. The discipline behind this is set out in our guide to how auditors and vendors find your exposure.
Standing up evidence for a claim like this is the work of our open source compliance audit defense service. Responses to a compliance claim and interpretation of license terms should be handled with your own counsel.
COMMON QUESTIONS
Questions buyers ask.
What is an open source compliance claim?
An open source compliance claim is an assertion, usually from a vendor or an auditor, that an organization is using software outside the terms of its license. It can allege a missing commercial license, a breach of competitive use terms, or unmet copyleft obligations, and it often arrives as an open ended request for information.
How does a vendor defend an open source compliance claim?
Defense rests on evidence. A defensible record of what software is run, under which license, in which versions, and since when turns an open ended inquiry into a bounded question. The aim is to answer precisely what is asked, neither more nor less, from a record that was built before the claim arrived.
What evidence matters most in a compliance claim?
A current software bill of materials, the version history of the components in question, and records of when each version was adopted and under which license. Together these establish what terms governed each use at the relevant time, which is the foundation of any response.
Is this a real named client?
No. This is an anonymised composite drawn from common engagement patterns. It names no client, no vendor, and no auditor, and the details illustrate a typical situation rather than a single account.
Is this legal advice?
No. This is commercial and licensing risk advisory, not legal advice. Responses to a compliance claim and interpretation of license terms should be handled with your own counsel.
CONTAINMENT
Build the record before the claim arrives.
A confidential open source license risk assessment. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.