SERVICES
Our open source license risk services cover eight engagements, each scoped to the exposure you carry today. We work from the buyer side, name the risk plainly, and leave you with a dependency tree you can defend to a vendor, an auditor, or your board.
We map every open source dependency you run and the license state of each one, direct and transitive. You receive a complete, current picture of what governs your software, including the components that have quietly changed terms since you adopted them.
When a project moves from an open license to a source available one, we quantify what the change costs you. We trace the blast radius through everything built on the affected component and size the financial and operational exposure in board language.
We contain the risk and reroute to safe alternatives or negotiated terms. Every option is weighed on engineering cost, license posture, and timeline, so the path you choose holds under scrutiny and does not simply move the exposure somewhere else.
When a commercial license is the right answer, we negotiate the terms from your side of the table. The agreement reflects your actual usage and leverage rather than a list price built for someone else.
We set the rules before the next change lands. Policy, approval gates, and license allowlists are built to your risk tolerance and wired into the way your teams ship, so a future relicense is caught at intake rather than in an audit.
We produce a software bill of materials that sees the full tree, layers down, and keeps it current. The same map that satisfies a regulator is the map that lets you find a relicensed component before it becomes a finding.
We find the exposure before the deal closes. A target's dependency tree can carry relicensing risk that materially changes valuation, and we surface it during diligence, with a remediation cost attached, while there is still room to price it in.
When a vendor or an auditor comes knocking, we stand up the evidence. A defensible record of what you run, under which terms, and since when turns an open ended inquiry into a bounded, answerable question.
Not sure where your exposure sits? Most engagements start with the assessment, which maps your blast radius and tells you plainly what changed and what it costs. See the case studies or read why our independence matters.
COMMON QUESTIONS
Open source license risk services map the open source you run, quantify the exposure created when a project relicenses, and contain it through remediation, negotiation, or governance. The aim is a dependency tree you can defend to a vendor, an auditor, or your board.
Most buyers start with an open source license risk assessment, which maps every dependency and its current license state. From there we scope a relicensing exposure review, remediation, or negotiation as needed.
Yes. Our relicensing exposure review focuses on Business Source License and Server Side Public License projects such as HashiCorp, Redis, and Elastic, and traces the blast radius through everything built on them.
No. These are commercial and licensing risk advisory services, not legal advice. For interpretation of license terms and compliance, we recommend your own counsel.
CONTAINMENT
A confidential open source license risk assessment. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.