Open source risk for legal teams, mapped and evidenced.

Legal teams are increasingly asked a question they cannot answer from the record they hold: are we exposed by a license change to software we already run. The reason is structural. Open source enters the estate through engineering, not procurement, and its terms can change years after adoption without anyone updating a contract or a register. When a project relicenses, the legal question lands on a desk that has no current inventory to reason from. Open source risk for legal teams closes that gap by supplying the facts, so counsel advises the business on what is actually there.

The recent changes make this concrete. HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1 as of August 2023. Redis moved to a dual model including the Server Side Public License as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License in 2021. MongoDB moved to the Server Side Public License in 2018. Copyleft obligations under the GNU AGPL sit alongside these. Each can reach software already in production, which turns a quiet dependency into a live legal exposure.

Where the advisory ends and counsel begins

The division of labor is clean. We map the estate and establish the facts: every component, its license state as of the date of the review, where it runs, and how it is deployed. We size the exposure and cost the routes to contain it. Your counsel interprets the terms, decides the legal position, and owns the advice to the business. We do not interpret license language and we do not give legal advice. The advisory exists to remove the uncertainty that makes legal judgment slow and expensive, not to substitute for it.

Source available is not open source. The Business Source License and the Server Side Public License are not approved by the Open Source Initiative, and their commercial use restrictions create a different legal shape from a permissive license. An inventory that does not distinguish the two will mislead the very person relying on it. Our mapping reads license state as it stands today and flags the components that have moved since adoption.

A record built to be defended

Legal teams need evidence that survives challenge. When a vendor asserts a usage that triggers a commercial license, or an auditor opens an inquiry, the value is a defensible record of what you run, under which terms, and since when. We build the inventory to that standard. It turns an open ended question into a bounded, answerable one, and it gives counsel a documented basis to take a position rather than concede one. The same record supports a buyer side negotiation when a commercial license is the right outcome.

The work draws on our open source license risk services and the wider open source license risk pillar. For the legal context around copyleft and diligence, see the M and A and compliance guide, and for how source available terms behave in production, the relicensing exposure guide.

Why independence serves the legal function

We are paid only by the buyer, with no vendor relationship and no reseller arrangement. For a legal team that matters, because the record has to be neutral to be useful. A picture produced by a party with a stake in the outcome carries a discount the moment it is examined. Ours does not. The inventory reflects your exposure as it is, including the parts that are inconvenient, which is exactly the standard counsel needs to rely on it.

What the legal team receives

You receive a defensible inventory of license state across the estate, an exposure assessment in board language, and a costed set of remediation and negotiation options. The deliverable is structured for legal use: clear provenance, dated findings, and a record that holds up to a vendor, an auditor, or a board. For how this has supported buyers in practice, including diligence and contained exposure, see our case studies.