Quantifying Open Source Risk for a Deal

Open source diligence often stops one step short of useful. A report lists components, flags some as copyleft or source available, and notes that they carry obligations. The deal team reads it, files it, and proceeds, because nothing in the report tells them what the findings are worth. The discipline that makes diligence matter is quantification: attaching a defensible figure, in money and in time, to each material exposure. A number changes behavior. A label rarely does.

Why a label is not enough when quantifying open source risk for a deal

A deal is a model. Every input that matters arrives as a number, because that is the language the model speaks. When a finding cannot be expressed as a number, it falls out of the model and becomes a footnote that nobody prices. The label copyleft tells a deal team that an obligation exists. It does not tell them whether satisfying that obligation costs ten thousand dollars or two million, and that difference is the entire question. The work of quantification is to close the gap between the finding and the figure, so the risk competes for attention on the same terms as everything else in the deal.

The same logic applies to relicensed dependencies. A target that runs Terraform, Redis, or Elasticsearch under a source available license has an exposure whose size depends entirely on how the target uses the software and what the remediation path costs. Stating that the component relicensed is not a finding the model can use. Stating that bringing the estate into a comfortable position costs a specific sum over a specific number of weeks is.

The inputs that produce a defensible figure

A figure is only as good as the inputs behind it. Five are needed. The first is a resolved dependency tree for the target, direct and transitive, not the declared package list the seller prepared. The second is the current license state of every node, dated, because this area moves quickly and a component that was open when adopted may not be now. The third is the target's distribution and service model, which decides whether a given obligation actually bites. The fourth is the blast radius of each material component, the full set of services and teams that depend on it. The fifth is a realistic remediation path for each material finding. With these five inputs the figure follows almost mechanically. Without them, any number on the page is a placeholder dressed up as an estimate.

The blast radius input deserves particular care, because it is where most underestimates start. A component that appears once in a manifest can sit beneath dozens of services. The cost to remove it scales with that reach, not with the single line that names it. Tracing the radius before pricing is the difference between a figure the deal team can defend and one that collapses the first time engineering looks at it.

Pricing the three remediation paths

Every material exposure resolves to one of three paths, and each path prices differently. The first is replacement, where the target removes the component and substitutes another. Here the figure is the engineering effort to rip and replace, plus the schedule risk of doing so on a critical path, plus any feature loss the substitute imposes. The second is licensing, where the target takes a commercial license from the vendor. Here the figure is the vendor quote, sized honestly to the target's real usage rather than to the vendor's opening number, projected over the holding period the buyer cares about. The third is migration to a community fork such as OpenTofu, Valkey, or OpenSearch. Here the figure is the project cost of the move, including testing and any operational change, set against the saving of avoiding a commercial license.

For each component you choose the cheapest credible path and price that one, because that is what a rational owner would do. The exposure is not the worst case across all paths. It is the cost of the path the buyer would actually take. Pricing the worst case inflates the figure and weakens its credibility at the table. Pricing the realistic path keeps the number defensible, which is what gives it force in the negotiation.

Adding time and probability to the money

Money alone understates a deal risk. Two findings with the same dollar cost are not equal if one can be fixed in a sprint and the other ties up a platform team for two quarters. Time belongs in the figure, because schedule is what the buyer trades away during integration, when engineering attention is the scarcest resource in the company. A remediation that competes with the integration roadmap costs more than its invoice suggests, and the deal team should see that cost stated plainly.

Probability sharpens the picture further. Some exposures are near certain to require action, such as a clear commercial license demand on a component the target depends on. Others are contingent on an event that may not occur, such as a roadmap change that would trigger a restriction not currently in play. Weighting each figure by the likelihood that it materializes lets the deal team separate the exposures they must price now from the ones they can address with a representation. The method connects directly to the broader discipline set out in open source in M and A and compliance, and the obligation analysis it relies on is covered in copyleft distribution obligations explained.

Where the figure lands in the deal

A quantified exposure has three destinations, and the size of the figure usually decides which. A large, near certain cost belongs in the price, as a reduction the buyer can defend with the diligence behind it. A material cost the seller is better placed to fix belongs in a condition of close, where the seller remediates before the buyer takes ownership. A contingent or hard to size exposure belongs behind a representation and warranty, with an indemnity that pays out only if the risk materializes. Each destination matches a different shape of risk, and the quantified figure is what lets the deal team choose correctly rather than default to the loudest finding. A concrete example of this in practice sits in relicensing exposure in an acquisition target.

None of this is legal advice. Whether a particular license obligation is triggered by the target's use is a question for counsel. What we do is size the commercial exposure, attach a defensible figure, and present it in a form the deal team can act on. Because we are independent and buyer side, take no vendor fees, and resell no software, the figure reflects the buyer's position and nothing else. The point is not to inflate findings to kill a deal. It is to make sure the price reflects the software the buyer is actually acquiring. This is commercial and licensing risk advisory, and for interpretation of specific terms we recommend you engage your own counsel.

IN THIS CLUSTER

Read next on open source in M and A and compliance.