GLOSSARY / DEFINITION
What is an attribution requirement
An attribution requirement is the most common open source obligation of all, the duty to preserve and reproduce notices that travels with the code. For enterprises that ship software, knowing what an attribution requirement is and how to satisfy it across a large dependency tree is basic license hygiene that auditors and acquirers expect to see.
Definition
An attribution requirement is an open source license condition that obliges you to keep and reproduce certain notices when you use or distribute the software. Typically this means preserving the copyright notice and the text of the license itself, so that anyone who receives the code can see who wrote it and under what terms. The MIT license, the BSD licenses, and the Apache 2.0 license are all built around this condition. Apache 2.0 goes one step further by requiring you to retain the contents of any NOTICE file the project ships. Attribution is the floor of open source obligation. Even the most permissive licenses, which place almost no other limits on how you reuse the code, still ask that credit and license text travel with it.
Which licenses carry it and how it differs from copyleft
Almost every open source license carries an attribution requirement. Permissive licenses such as MIT and Apache 2.0 make attribution their central, and often only, condition. Copyleft licenses such as the GNU General Public License also require notices to be preserved, but they layer a reciprocity condition on top, so attribution is the start of the obligation rather than the whole of it. The rare exceptions are public domain style dedications such as CC0, which ask for nothing in return. The key distinction is that an attribution requirement does not reach into your own code the way copyleft can. Meeting it does not force you to release anything you wrote. It only asks that you carry forward the credit and license text of the components you used, which is why it is the lightest of the open source duties yet the one most often overlooked.
What it means for license risk
The risk in an attribution requirement is not severity but scale. A single missing notice is easy to cure, but a modern product can pull in hundreds of components through transitive dependencies, and each may carry its own notice. Failing to reproduce them is a breach of the license, which in principle removes your grant to use the code, and while the fix is usually just adding the notices, the bigger signal is what an omission says about your controls. An auditor, an acquirer in diligence, or a vendor pressing a claim treats a missing attribution as evidence that the wider dependency tree is not being tracked. The practical defense is to generate a notices file from the full tree, ship it with the product, and refresh it as dependencies change. A software bill of materials makes this repeatable, because the map that records each component also records the notice text it carries. Whether a specific notice satisfies a specific license is a question for your own counsel.
Related reading
To see how attribution sits within the broader set of duties a license can impose, read our definition of a license obligation. For the family of licenses where attribution is the main condition, see what a permissive license is, and for the specific case that adds a NOTICE file duty, see the Apache License 2.0. For the full set of terms, browse the rest of our open source license risk glossary.
CONTAINMENT
Find every notice you owe
An open source license risk assessment maps every dependency and the attribution it carries, so your notices file is complete and current. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.
Start a risk assessmentCOMMON QUESTIONS
Questions buyers ask.
What is an attribution requirement?
An attribution requirement is an open source license condition that obliges you to preserve and reproduce certain notices when you use or distribute the software. Most permissive licenses such as MIT and Apache 2.0 require you to keep the copyright notice and license text, and Apache 2.0 also requires you to retain any NOTICE file. It is the minimum duty that even the most permissive licenses impose.
Which licenses have attribution requirements?
Almost all of them. Permissive licenses such as MIT, BSD, and Apache 2.0 are built around an attribution condition. Copyleft licenses such as the GNU GPL also require notices to be preserved, on top of their reciprocity conditions. Public domain dedications such as CC0 are the rare case with no attribution duty. In practice, any nontrivial dependency tree carries attribution obligations.
What happens if you fail to meet an attribution requirement?
Failing to reproduce required notices is a breach of the license, which can mean you no longer have a valid grant to use the code. For most permissive licenses the cure is straightforward: add the missing notices. The risk grows when the omission is discovered during an audit, a deal, or a dispute, because it signals weak controls over the wider dependency tree.
How do enterprises meet attribution requirements at scale?
By generating and shipping a notices file built from the full dependency tree, direct and transitive, and keeping it current as dependencies change. A software bill of materials makes this repeatable, because the same map that records each component records the license and notice text it carries. Manual attribution does not scale past a handful of dependencies.
Is this legal advice?
No. This is commercial and licensing risk advisory, not legal advice. For interpretation of attribution duties in your specific use, engage your own counsel.