Open Source License Risk Consultant

A wave of widely used projects has changed license in the last few years. HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License as of August 2023. Redis moved to a dual model with the Server Side Public License as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License as of 2021. MongoDB moved to the Server Side Public License in 2018. Each change created production exposure that most enterprises never mapped. A consultant who knows these license families closes that gap.

What an open source license risk consultant brings

The value is fluency and independence. The consultant knows the difference between the Business Source License, the Server Side Public License, and the GNU AGPL cold, and can tell you which of the three is sitting in your build and what each one demands. Just as important, the consultant carries no incentive to sell you a license or a migration. The job is to size your exposure honestly and recommend the cheapest defensible path, even when that path is to do nothing yet.

Source available is not open source. The Server Side Public License and the Business Source License are not approved by the Open Source Initiative, and their restrictions can apply to software you are already running. A consultant names that distinction for every affected component so no one on your side treats a source available dependency as if it were permissive.

How an engagement works

Most engagements begin with an open source license risk assessment, which maps every dependency and the current license state of each one. From there the consultant scopes only what your exposure warrants. If a relicensed component sits on a revenue path, the next step is a focused exposure review. If a commercial license is unavoidable, the consultant gives you the usage baseline to negotiate from your own numbers. If the issue is process, governance work closes the gap so the next change is caught at intake rather than in an audit.

The work is read only on your systems. We do not need write access to produce the map, and the output is built to be shared with engineering, security, procurement, and the board. You can see the full set of engagements on the open source license risk services page, and the broader context on the open source license risk pillar.

Why independence matters

When the firm advising you also resells the software, the advice bends toward the sale. We do not resell anything. We are paid only by the buyer, which is the whole point. The recommendation you receive is the one that serves your risk position, whether that is a fork to OpenTofu or Valkey, a negotiated commercial license, a targeted dependency removal, or simply better governance. You can read more on why our independence matters.