The cost model of each remediation path.

After a project you depend on relicenses, the choice to fork, migrate, or pay is rarely settled by instinct. It is settled by a cost model that captures every figure each path carries, including the ones that do not appear on an invoice. The cost model of each remediation path is the artifact that lets a CISO, a general counsel, and a finance lead look at the same numbers and reach the same conclusion. Build it badly and you will pick the option that looks cheapest this quarter while quietly carrying the largest liability. Build it well and the right path tends to stand out on its own.

The three parts of the cost model of each remediation path

Every remediation option carries three kinds of cost. The first is one time cost: the engineering work, testing, and disruption needed to make the change. The second is recurring cost: the fees, support, and maintenance that repeat each year for as long as you run the result. The third is residual risk: the priced value of the exposure that remains after the path is complete. A model that captures only the first component flatters migration and forking. A model that captures only the first two flatters paying. Only when all three sit side by side does the comparison hold, because the cheapest path on engineering can be the most expensive once recurring fees and leftover exposure are counted.

Pricing the fork path

Forking adopts a community fork that continues the software under an open license, such as OpenTofu from Terraform or Valkey from Redis. Its one time cost is the engineering effort to switch, which is small when compatibility is strong and larger when it is weak. Its recurring cost is the ongoing maintenance of staying current with the fork and the implied commitment to a community whose health you do not control. Its residual risk is usually low, because returning to an open license removes the restriction outright rather than working around it. The trap is assuming a fork is free. Test compatibility against your real workloads, and price the maintenance honestly, because a fork with weak momentum can cost more over time than the switch saved. We weigh the choice itself in fork, migrate, or pay: the remediation decision.

Pricing the migration path

Migration replaces the component with a different product. It carries the highest one time cost of the three, because it touches client code, data formats, and operational runbooks rather than swapping one binary for a compatible one. Its recurring cost is whatever the replacement charges, which may be nothing for an open license alternative. Its residual risk is low once complete, since the exposed component is gone. The discipline in pricing migration is to count the full project: data migration, dual running, retraining, and the testing that proves nothing broke. Migration earns its higher one time figure when no credible fork fits, when the component was due for replacement anyway, or when the move improves the architecture as well as the license posture.

Pricing the pay path

Paying for a commercial license has the lowest one time cost and the highest recurring cost. It closes the license exposure fast, which is its main appeal when a renewal or an audit is near. Its residual risk is low on the license itself but introduces a new kind of exposure: price escalation at renewal and lock in to a vendor whose leverage grows as your dependence deepens. When you price the pay path, model not just the first year fee but the likely trajectory across the horizon, including the increase a vendor can seek once you have no credible alternative ready. The way to hold that cost down is to right size the agreement to actual usage rather than accept a list price, which is a negotiation in its own right.

Put every path on the same horizon

A one time cost and a recurring cost cannot be compared until both sit on the same timeline. Choose a horizon that matches how long you expect to run the component, commonly three to five years, and total each path across it. A migration that costs a large sum once is frequently cheaper across five years than a commercial license that recurs annually and rises at each renewal. The horizon also exposes the difference between a path that ends the cost and a path that perpetuates it. Forking and migrating tend to front load the spend and then taper. Paying spreads it and lets it grow. The multi year total is what makes those shapes comparable.

Anchor the model to the cost of exposure

Every remediation cost only matters relative to the cost of doing nothing. Before you can judge whether forking, migrating, or paying is worth its price, you need the priced value of the exposure if the restriction reaches your use. That figure is the ceiling against which each path is measured, and it is what stops a model from recommending an expensive cure for a small ailment or a cheap patch for a large one. We cover the sizing discipline in the cost to cure open source license risk and the underlying exposure math in quantifying open source license exposure. The full frame sits in our pillar on remediation and alternatives. Whether a license actually restricts your specific use is a question for your own counsel, and that answer sets the residual risk figure the whole model turns on.