ADVISORY / DEAL
Open source due diligence for acquirers.
Open source due diligence for acquirers finds the licensing exposure in a target before the deal closes. We map the dependency tree, flag relicensing and copyleft risk, and attach a remediation cost while there is still room to price it in.
A target company is its software, and its software rests on open source. When a component in that stack has relicensed, or carries a copyleft obligation no one tracked, the cost lands on the acquirer after close. Open source due diligence for acquirers brings that cost forward, into the window where price and terms are still open.
What open source due diligence for acquirers covers
We review the target full dependency tree, direct and transitive, and establish the license state of each component as it stands today rather than as the target remembers it. We flag the material exposures: components that relicensed under the Business Source License or the Server Side Public License, copyleft obligations under the GNU AGPL that may reach the target proprietary code, and any commercial license demands already in motion. Each flag carries an estimated remediation cost.
The output is a red flag memo written for a deal team. It says what the exposure is, what it would cost to cure, and how it bears on valuation. It is short enough for an investment committee and detailed enough for the integration plan.
Why relicensing changed the diligence picture
For most of the last decade, open source diligence focused on copyleft, mainly the GPL family and the GNU AGPL. The relicensing wave widened the field. As of August 2023 HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License. As of March 2024 Redis moved to the Redis Source Available License and the Server Side Public License, with Valkey as the fork. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License in 2021, with OpenSearch as the fork. MongoDB moved to the Server Side Public License in 2018.
Source available is not open source, and these licenses are not approved by the Open Source Initiative. A target running them at scale may owe a commercial license the seller never disclosed, because the seller may not have noticed the change either. That is exactly the kind of exposure that should be found in diligence, not after wiring the funds.
How acquirers use the findings
A sized exposure is a lever. It can support a price adjustment, a specific indemnity, an escrow holdback, or a condition that the seller remediate before close. It also seeds the integration plan, so the first ninety days after close are not spent discovering what diligence should have surfaced. We write the findings to be used in the negotiation, not filed away.
This engagement extends our broader practice. It builds on our M and A due diligence service, draws on the obligations covered in our M and A and compliance pillar, and rests on the same foundations as our wider open source license risk work.
COMMON QUESTIONS
Questions buyers ask.
What is open source due diligence for acquirers?
Open source due diligence for acquirers maps a target company dependency tree, identifies relicensing and copyleft exposure, and attaches a remediation cost so the buyer can price the risk into the deal before close.
Why does open source matter in a deal?
A target may run components that have relicensed under the Business Source License or the Server Side Public License, or carry copyleft obligations under the GNU AGPL. Each can require a commercial license or rework after close and can materially change valuation.
When in the deal should diligence happen?
As early as access allows. Surfacing exposure during diligence, with a cost attached, leaves room to renegotiate price, adjust terms, or require remediation as a condition of close.
What do acquirers receive?
A target dependency tree review, a red flag memo on the material exposures, and a remediation cost estimate. The output is written for the deal team and the investment committee.
Is this legal advice?
No. This is commercial and licensing risk advisory, not legal advice. We recommend your own counsel for interpretation of license terms and for the legal representations and warranties in the deal.
DEAL
Find the exposure before close.
A confidential open source license risk assessment. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.
Independent, confidential, buyer side. See how buyers contained their exposure →