RISK ASSESSMENT
Open source licensing risk assessment that shows you what changed and what it costs.
An open source licensing risk assessment maps every dependency you run, direct and transitive, and records the license state of each one. You leave with a ranked picture of your exposure, including the components that have quietly changed terms since you adopted them, and a clear sense of where to act first.
Independent, confidential, buyer side. See how buyers contained their exposure →
What an open source licensing risk assessment covers
Most teams know roughly what open source they adopted. Few know what governs it today. Licenses change, and they change under software that is already in production. An open source licensing risk assessment closes that gap. We build a full dependency tree, direct and transitive, and attach the current license state to every node. The output is a single, current picture of what governs your software, with the highest exposure ranked to the top.
The relicensing wave makes this urgent. HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1 as of August 2023. Redis moved to a Redis Source Available License and Server Side Public License model as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License as of 2021, and MongoDB moved to the Server Side Public License in 2018. Source available is not open source, and none of these are OSI approved. Any of them can be running in your estate right now, under terms you never agreed to.
What you receive
The assessment produces three things you can use immediately. The first is a complete dependency tree that shows every component and where it sits. The second is the license state per node, so a relicensed component cannot hide in a transitive layer. The third is a risk ranked findings report that tells you, in plain board language, which exposures matter and what each one would cost to cure. Where a component has moved to a source available license, we trace the blast radius through everything built on it.
The assessment is the foundation for every later move. It feeds a relicensing exposure review, an open source remediation plan, or a negotiation, and it doubles as the evidence record you would stand on in an audit.
Why independence matters here
A licensing risk assessment is only useful if you can trust where it points. We are an independent, buyer side firm. We take no fee from any vendor and sell no software, so the findings reflect your interest alone. When the assessment recommends a fork, a replacement, or a negotiated license, that recommendation is not steered by a reseller margin. To understand the families of licenses behind these changes, read the pillar on open source license risk.
This is commercial and licensing risk advisory, not legal advice. We map exposure and quantify it. For interpretation of specific license terms and compliance obligations, we point you to your own counsel and structure the findings so counsel can act on them.
COMMON QUESTIONS
Questions buyers ask.
What is an open source licensing risk assessment?
An open source licensing risk assessment maps every open source dependency you run, direct and transitive, and records the current license state of each one. It surfaces the components that have quietly changed terms since you adopted them and ranks the exposure so you know what to address first.
How long does an assessment take?
A first pass is usually complete within two to four weeks, depending on the size of your estate and how much dependency data you can hand over at the start. You receive a ranked findings report and a dependency tree you can act on immediately.
Does the assessment cover BSL and SSPL projects?
Yes. The assessment flags components under the Business Source License and the Server Side Public License, including HashiCorp, Redis, Elastic, and MongoDB, and traces the blast radius through everything built on them.
Is the assessment confidential and independent?
Yes. The engagement is confidential and we work only from the buyer side. We take no fee from any vendor and sell no software, so the findings reflect your interest and nothing else.
Is this legal advice?
No. An open source licensing risk assessment is commercial and licensing risk advisory, not legal advice. For interpretation of license terms and compliance, we recommend your own counsel.
START HERE
See your exposure before it becomes a finding.
A confidential open source licensing risk assessment. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.