ARTICLE / M AND A AND COMPLIANCE
Open source indemnities and warranties.
Open source indemnities and warranties are the contract promises that allocate who carries the cost when an open source problem surfaces after a deal or a purchase. This guide explains what they cover, where they fall short on relicensing risk, and why buyers pair them with a direct map of the exposure rather than relying on them alone.
Every deal and most vendor contracts carry promises about open source. A warranty states that something is true. An indemnity promises to cover defined losses if that statement turns out to be wrong. Open source indemnities and warranties exist because no buyer can fully verify the license state of every component in a target or a product, so the contract allocates the residual risk. The trouble is that these clauses were written for a world where licenses were stable. The recent wave of relicensing has tested that assumption, and a buyer who treats a warranty as full protection against a future change can be left holding a cost the clause was never built to cover. Understanding what these promises do, and do not do, is the difference between informed allocation and false comfort.
What the warranty actually promises
A typical open source warranty states that the seller holds the rights it grants, that it complies with the licenses of the open source it uses, and sometimes that it has disclosed the material components in a schedule. The key feature is timing. A warranty usually speaks to the state of affairs as of the signing date. It is a snapshot, not a forecast. That matters for relicensing risk, because a project moving to a source available license after closing is a future event, not a present untruth. HashiCorp moved Terraform and others to the Business Source License as of August 2023, Elastic moved to the Server Side Public License in 2021, and Redis moved to a source available model as of March 2024. A warranty signed before any of those dates would not have been breached by the change that followed. Whether a specific clause reaches forward at all is a drafting and interpretation question for your own counsel.
Where the indemnity stops short
An indemnity is the financial backstop behind the warranty, but it is rarely unlimited. Indemnities are commonly capped at a portion of deal value, limited in time, and subject to baskets and exclusions that a seller negotiates hard. The practical effect is that an indemnity can soften a loss without fully covering it. Relicensing costs are particularly awkward here, because they can emerge over years as a vendor raises prices at renewal or a forced migration consumes engineering capacity well after the survival period has lapsed. A buyer who relies on the indemnity alone may find the cap is reached, or the clock has run, long before the true cost of a source available dependency is paid. The way to size that cost before signing is set out in quantifying open source risk for a deal.
How buyers use these clauses well
The strongest buyer position uses diligence and contract protection together rather than leaning on either alone. Diligence finds the exposure, so a disclosed source available dependency can be priced into the deal directly. Warranties and indemnities then backstop what diligence could not eliminate, such as an undisclosed component or a misstatement about compliance. This is why a buyer should run the dependency map first and shape the clauses around what it finds, not the other way round. The map itself comes from an open source due diligence checklist, and the specific relicensing exposure in a target is addressed in relicensing exposure in an acquisition target. The distribution obligations that some warranties speak to are explained in copyleft distribution obligations explained. The full picture sits in our pillar on open source in M and A and compliance.
The advisory and the counsel line
There is a clear division of labor here. The drafting, scope, and enforceability of an indemnity or a warranty is the work of your own counsel, and we always recommend involving them. Our role is the commercial and licensing risk side: finding the open source exposure these clauses are meant to address, sizing it in money and time, and giving the deal team a defensible picture of what is being allocated. A clause is only as good as the buyer's understanding of the risk behind it. The aim is to enter the negotiation knowing what the open source actually carries, so the warranty and the indemnity are sized to a real number rather than a hope.
COMMON QUESTIONS
Questions buyers ask.
What are open source indemnities and warranties?
Open source indemnities and warranties are contract promises about the open source in a product or a target. A warranty is a statement that something is true, for example that the seller has the rights it grants and complies with the open source licenses it uses. An indemnity is a promise to cover defined losses if that turns out to be wrong. Together they allocate who carries the cost when an open source problem surfaces after a deal or a purchase.
Do open source warranties cover a future relicense?
Usually not on their own. A warranty typically speaks to the state of compliance as of the signing date, not to a vendor or upstream project changing its license later. A move to a source available license such as the Business Source License or the Server Side Public License after closing often falls outside a standard warranty. Whether a given clause reaches forward is a drafting and interpretation question for your own counsel, which is why buyers also map the exposure directly.
Why are open source indemnities often capped or limited?
Indemnities are commonly capped at a portion of deal value, time limited, and subject to baskets and exclusions. A seller will resist unlimited exposure for open source it cannot fully control. The practical effect is that an indemnity can blunt a loss without fully covering it, especially for relicensing costs that emerge over years. A buyer who relies on the indemnity alone may find the cap is reached well before the remediation is paid for.
How do buyers use open source warranties in a deal?
Buyers use diligence to find the exposure, then use warranties and indemnities to allocate what diligence could not eliminate. A disclosed source available dependency might be priced into the deal directly, while an undisclosed one is the kind of risk a warranty is meant to backstop. The strongest position pairs an accurate dependency map with targeted contract protection, rather than leaning on either alone.
Is this legal advice on indemnities and warranties?
No. This is commercial and licensing risk advisory, not legal advice. We help buyers find and size the open source exposure that these clauses are meant to address, on the buyer side. The drafting, scope, and enforceability of any indemnity or warranty is a question for your own counsel.
DUE DILIGENCE
Size the exposure behind the clause.
Our M and A due diligence finds and prices the open source risk a warranty is meant to backstop. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.