Relicensing Risk in Your Vendor Stack

Most discussion of license risk assumes you control the code. You scan your own repositories, map your own dependencies, and decide what to do. But a large share of an enterprise's software is bought, not built. Commercial products, managed platforms, and embedded systems all rest on open source the supplier chose, and that open source can relicense without ever appearing in your repositories. When it does, the exposure flows to you through the supplier relationship rather than through your build. This is relicensing risk in the vendor stack, and it is the part of the picture that a code centered approach misses entirely.

How a relicense inside a product becomes your problem

When a component embedded in a commercial product relicenses, the vendor has a decision to make, and every option can reach the buyer. The vendor may pass on a higher cost if it now has to pay for a commercial license to the relicensed component. It may change the product to remove or replace the component, which can break integrations you depend on. It may face a dispute with the upstream that disrupts the service you rely on. Or it may quietly carry the exposure and hope it never surfaces, which leaves you depending on a position the vendor has not disclosed. In each case, how much lands on you is governed by your contract rather than by your engineering. The relicensing event happened to the vendor. The contract decides whether it stays there.

The components driving this are the same ones reshaping the direct picture. As of August 2023, HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1. Redis moved to a dual model with the Server Side Public License as of March 2024, Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License as of 2021, and MongoDB moved to the Server Side Public License in 2018. Any of these can sit inside a product you buy. Source available is not open source, and neither license is approved by the Open Source Initiative, so a product built on one of them carries a restriction the supplier has to manage on your behalf.

Finding the risk in software you only buy

You cannot scan a vendor's source the way you scan your own, but the risk is still discoverable. The signals live in vendor documentation, in any software bill of materials the supplier provides, in security and compliance questionnaires, and in the contract itself. The single most useful step is to ask. A procurement question about what open source a product embeds and how the vendor tracks relicensing is fair, increasingly standard, and often revealing. Suppliers who manage this well can answer it. Suppliers who cannot are themselves a signal. The way these questions fit into a buying process is covered in relicensing and procurement approval processes.

The contract terms that decide who carries the risk

Because the vendor stack risk travels through the contract, the contract is where it is contained. Four terms do most of the work. The indemnity for third party license claims decides who pays if the relicensed component triggers a dispute. The vendor's right to change the product decides whether the supplier can alter what you bought without your agreement. Price protection across the term decides whether a cost the vendor incurs can be passed straight to you. And any explicit commitment about the open source the product depends on tells you whether the supplier is even tracking the question. These terms turn an abstract worry into a concrete allocation of risk. Your own counsel should review the specific language, because the wording determines the outcome. The wider obligation picture is set out in relicensing and your compliance obligations.

Bringing the vendor stack into your exposure picture

A complete view of relicensing exposure covers both what you build and what you buy. The bought in part is harder to see, but ignoring it leaves a blind spot exactly where you have the least control. The practical approach is to extend your dependency mapping with a supplier layer: which products you rely on, what they are known to embed, and what your contracts say about change and indemnity. This work sits on the relicensing pillar, and a relicensing exposure review can include the vendor stack alongside your own code.

We are independent and buyer side. We take no vendor fees and resell no software, so we assess your suppliers from your side of the table. This is commercial and licensing risk advisory, not legal advice. For interpretation of vendor contract terms and license obligations, engage your own counsel.