Open source license risk FAQ: 20 questions.

An open source license risk FAQ earns its place because the topic moves fast and the questions repeat across every buyer we meet. Since 2023, a series of widely used projects has changed license, and the same handful of concerns surface in each conversation: what changed, whether it reaches software already in production, and what to do about it. The answers below are grouped into the basics, the named relicensing events, exposure and obligations, and containment. They are written for the CISO, general counsel, procurement, and engineering leaders who carry the risk together. For the full treatment, see the pillar on open source license risk.

The basics

1. What is open source license risk? It is the exposure created when the license governing software you run changes, restricts your use, or imposes obligations you had not planned for. It became acute when projects moved from open licenses to source available ones.

2. Is source available the same as open source? No. Source available means the code can be read, but the license restricts use in ways an open source license does not. The distinction is the heart of the matter, as set out in permissive vs copyleft vs source available explained.

3. What is the Business Source License? It is a source available license that restricts competitive production use and converts to an open license after a delay, commonly four years. It is not approved as open source.

4. What is the Server Side Public License? It is a source available license with strong copyleft style obligations aimed at those who offer the software as a service. It too is not approved as open source.

5. Why should the board care? Because a license change can create unbudgeted cost, force migration, or invite an audit, all on software the business depends on. The board framing is covered in open source license risk for the board.

The named relicensing events

6. What did HashiCorp do? HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License as of August 2023. IBM later acquired HashiCorp. The community fork of Terraform is OpenTofu.

7. What did Redis do? Redis moved to a dual Redis Source Available License and Server Side Public License model as of March 2024, and later added an open license option. The community fork is Valkey.

8. What did Elastic do? Elastic moved Elasticsearch and Kibana from Apache 2.0 to the Server Side Public License and the Elastic License in 2021, and later added an open license option. The AWS led fork is OpenSearch.

9. What about MongoDB? MongoDB moved to the Server Side Public License in 2018, the change that set the pattern others later followed.

10. Is this wave likely to continue? The trend has run from 2023 through 2026 and shows no sign of stopping. Treat it as an ongoing risk, not a closed chapter. The arc is traced in the 2023 to 2026 relicensing wave explained.

Exposure and obligations

11. Does a relicense affect software already running? It can. New versions carry the new license, and the restrictions can apply to deployments running today, depending on your use and version.

12. What happens to old versions? Versions released before the change keep their prior license, but you lose access to new releases and fixes under those terms, which creates its own pressure to move.

13. Where does hidden exposure usually sit? In transitive dependencies and in production systems no one is watching, as described in the hidden open source exposure in production.

14. Who owns this risk internally? It crosses security, legal, procurement, and engineering, which is why it often falls through the gaps. Ownership is examined in who owns open source license risk in the enterprise.

15. How do auditors and vendors find exposure? Through usage telemetry, public signals, and direct inquiry. The methods are detailed in how auditors and vendors find your exposure.

Containment

16. What is the first move? Build the inventory and map the blast radius. You cannot price or contain what you cannot see.

17. What are the options once exposure is mapped? Broadly three: migrate to an openly licensed alternative such as a fork, negotiate a commercial license, or accept and document the position if your use is clearly permitted.

18. How is the cost to cure estimated? By weighing engineering effort, license posture, and timeline for each path, as set out in the cost to cure open source license risk.

19. Can governance prevent the next surprise? Yes. License policy, approval gates, and ongoing monitoring catch a future relicense at intake rather than in an audit.

20. Is this open source license risk FAQ legal advice? No. This open source license risk FAQ is commercial and licensing risk advisory, not legal advice. For interpretation of a specific license and your compliance position, your own counsel is the right place to turn.