The Cost to Cure Open Source License Risk

Most discussions of license risk stop at whether a problem exists. The harder and more useful question is what it costs to fix. A relicensed dependency is not a binary event. It is a set of paths out, each with its own price, timeline, and residual risk. Until those paths are costed on the same basis, no one can say whether the right move is to remediate, to fork, to negotiate a commercial license, or simply to hold a known position and watch it. The cost to cure is the common currency that lets a buyer compare them.

What the cost to cure actually includes

The cost to cure is broader than a license fee. For a remediation path it is the engineering effort to remove or replace the component, the testing to prove the replacement works, and the operational disruption of shipping the change. For a fork it is the cost of migrating to a community alternative such as OpenTofu, Valkey, or OpenSearch, plus the ongoing cost of tracking a project that is no longer the upstream you started with. For a commercial license it is the negotiated price over the term, weighed against the leverage your actual usage gives you. A complete estimate carries all of these so that the cheapest defensible path is visible rather than assumed.

There is also a fourth option that an honest estimate has to price: doing nothing for now. Holding a known position can be the right call when the exposure is small and contained, but it is only a decision if the cost of the alternatives is on the table beside it. Without the comparison, inertia masquerades as strategy.

Why the blast radius drives the number

The single largest driver of the cost to cure is the blast radius, meaning how much of your estate depends on the affected component. A relicensed library that touches one service is a contained change a single team can absorb. The same library beneath forty services is a program of work spanning quarters and teams. The component is identical in both cases. The cost is not, because the cost tracks reach rather than the component itself. This is why mapping the blast radius comes before pricing anything, and the method for that mapping is set out in how to map your open source blast radius.

Reach is also why so much exposure hides where no one is looking. A relicensed component buried in the indirect part of the tree can carry a wide blast radius without ever appearing on an inventory. The mechanics of that are covered in transitive dependencies and hidden license risk, and the way reach becomes a financial figure is covered in quantifying open source license exposure.

Why the cost rises the longer you wait

The cost to cure is not static. It climbs quietly with every release. Each time a team adopts a newer version of a relicensed component under its new terms, and each time another service is built on top of it, the blast radius widens and the cost to unwind it grows. The exposure does not increase because anyone did anything wrong. It increases because normal delivery keeps building on the affected node. By the time the change is impossible to ignore, the cheap version of the fix is gone.

The licence family shapes the curve. As of August 2023, HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1, which restricts competitive production use. Redis moved to a dual model with the Server Side Public License as of March 2024, and Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License as of 2021. MongoDB moved to the Server Side Public License in 2018. Source available is not open source, and these licences are not approved by the Open Source Initiative. The Business Source License tends to create a competitive use question, while the Server Side Public License tends to create a service obligation. The two produce different cures and different costs, so the family of the affected component is part of the estimate.

How to estimate the cost to cure before you are forced to

The estimate follows from the map. Resolve the dependency tree, direct and transitive, identify the relicensed and high risk components, and trace the blast radius of each. Then price each containment path against that radius: remediation effort, fork migration, commercial license, or a deliberate hold. The result is a ranked set of cures with a cost attached to each, produced while every option is still open. An open source license risk assessment produces exactly this, and the broader discipline sits on the open source license risk pillar.

We are independent and buyer side. We take no vendor fees and resell no software, so the cost to cure we produce reflects your exposure and nothing else, including when the honest answer is that the cheapest defensible path is to hold. This is commercial and licensing risk advisory, not legal advice. For interpretation of specific license terms and your compliance position, engage your own counsel.