PREVENT
An open source policy development service that catches the next relicense early.
Our open source policy development service sets the rules before the next change lands. License allowlists, approval gates, and intake controls are built to your risk tolerance and wired into how your teams ship, so a future relicense is caught at intake rather than in an audit. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.
An open source policy development service exists because the cheapest exposure to contain is the exposure that never enters. The relicensing events of recent years were not failures of scanning. They were failures of process. A component adopted years ago under a permissive license changed terms, and nothing in the pipeline was watching for it. A policy turns that blind spot into a control.
What the policy covers
- A license allowlist and denylist matched to your risk tolerance, naming families such as permissive, copyleft, and source available.
- Approval gates for new dependencies, with a clear owner and a fast path for low risk adoptions.
- Intake controls wired into your build and procurement steps so the policy is enforced, not aspirational.
- A defined response for when a dependency you already run changes terms.
Why source available needs an explicit rule
Many policies were written when open source meant Open Source Initiative approved licenses. The Business Source License and the Server Side Public License break that assumption. They are source available, not open source, and they carry competitive use and service conditions that a permissive allowlist never anticipated. As of August 2023 HashiCorp moved its core tools to the Business Source License, and Redis and Elastic moved to models including the Server Side Public License. A modern policy names these families directly and decides their treatment in advance.
Wired into how teams ship
A policy that lives in a wiki page changes nothing. We build the rules into the gates your teams already pass through, so adoption is checked at the point of decision and a relicense raises a flag automatically. The goal is a control that holds without slowing delivery.
How policy fits the wider program
Policy is the preventive layer. It sits alongside detection, which comes from a software bill of materials and continuous dependency mapping. For the full picture read the governance and SBOM pillar and the open source license risk guide. When you need to act on what is already in your estate, begin with an open source license risk assessment. The full set of advisory services explains how the layers connect.
COMMON QUESTIONS
Questions buyers ask.
What is an open source policy development service?
An open source policy development service builds the rules that govern how your teams adopt open source: a license allowlist, approval gates, and intake controls wired into how you ship, so a future relicense is caught at intake rather than in an audit.
Why do we need a policy if we already scan dependencies?
Scanning finds components after they are in. A policy decides what is allowed before adoption and sets a process for handling a relicense. Together they close the gap that lets source available components such as those under the Business Source License or the Server Side Public License enter unnoticed.
How long does it take to stand up a policy?
A workable first version can be agreed quickly, then refined as it meets real cases. The aim is a policy your teams follow, not a document that sits unread, so we wire it into existing approval and build steps.
Is the open source policy development service legal advice?
No. It is commercial and licensing risk advisory, not legal advice. For binding interpretation of license terms we recommend your own counsel.
PREVENT
Catch the next relicense at intake, not in an audit.
A confidential open source policy development service. Independent, buyer side, paid only by you.
Independent, confidential, buyer side. See how buyers contained their exposure →