SERVICE
Open Source M&A Due Diligence
Open source M&A due diligence finds the license exposure buried in a target before the deal closes. We map the target's dependency tree, flag every component that has relicensed or carries copyleft and competitive use obligations, and attach a remediation cost while there is still room to price it in. We work from the buyer side and are paid only by you.
Not ready to talk? Read the free open source license risk guides first.
Software diligence usually covers security debt, code quality, and key person risk. License posture is the part that gets a checkbox and little else. That gap has widened since the relicensing wave began. A target that adopted a project years ago as open source may now be running it under terms that restrict competitive use or demand a commercial license. The acquirer inherits that position at close, and the cost lands after the price is fixed.
We close that gap. Our open source M&A due diligence treats the target's dependency tree as a balance sheet item. Each node carries a license, a current state, and an obligation. We surface the ones that matter to value and translate them into a number the deal team can use.
What open source M&A due diligence covers
We start from a complete software bill of materials for the target, direct and transitive. From there we test each component against three questions. Has it relicensed, or is it likely to. Does the way the target ships its product trigger a copyleft or distribution obligation. Would continued use require a paid commercial license. The answers become a ranked list of findings, each with an exposure figure and a cost to cure.
The high frequency findings come from a small set of projects. HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License as of August 2023. Redis moved to the Server Side Public License and the RSALv2 as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License as of 2021, and MongoDB did so in 2018. A target standing on any of these is carrying a position the acquirer should understand before signing. Source available is not open source, and neither the Business Source License nor the Server Side Public License is approved by the Open Source Initiative.
When to commission the review
Earlier is better. A finding that surfaces during diligence can be priced in, escrowed, or made a condition of close. The same finding after close is simply a cost the acquirer absorbed without knowing. We work to the deal calendar and lead with the red flag memo so the most material items are on the table while there is still room to act on them.
The review also serves the sell side. A seller who maps the dependency tree in advance can answer a buyer's questions cleanly, remove a source of last minute price pressure, and present a defensible record of what runs and under which terms. Either way, the output is the same: a clear picture of license exposure that holds under scrutiny.
This engagement sits within our wider open source license risk services. For the broader context on copyleft and distribution obligations, see the M and A and compliance pillar. To understand the underlying license exposure, read the open source license risk pillar, and for the relicensing events that drive most findings, the relicensing exposure pillar.
How buyers have used the work
The pattern repeats across sectors. An acquirer finds a target running a component that moved to the Business Source License, sizes the cost of a commercial license or a migration, and reflects it in the offer. A regulated buyer maps the target's tree to confirm there is no AGPL obligation hiding in a shipped product. A seller cleans its position before going to market. Our anonymized composites show the mechanics: how a bank mapped Terraform exposure across 40 teams, how a government body built an open source policy and program office, and how an insurer established continuous license monitoring.
COMMON QUESTIONS
Questions buyers ask.
What is open source M&A due diligence?
Open source M&A due diligence maps a target company's open source dependency tree, identifies components that have relicensed or carry copyleft and competitive use obligations, and quantifies the remediation cost so the exposure can be priced into the deal before it closes.
Why does open source matter to a deal valuation?
A target may run components that moved to the Business Source License or the Server Side Public License, or that carry GNU AGPL obligations triggered by how the product is shipped. Each can force a commercial license purchase or a rebuild after close, which is a cost the acquirer inherits unless it is found and priced during diligence.
How long does diligence take?
Scope depends on the size of the target's codebase and the speed of the deal. We work to the deal timeline and deliver a red flag memo first, then a fuller dependency and exposure picture as access allows.
Is this legal advice?
No. We provide commercial and licensing risk advisory, not legal advice. We map and quantify exposure from the buyer side. For interpretation of license terms and compliance questions, we recommend your own counsel.
Are you independent of the parties?
Yes. We are an independent advisory paid only by the buyer. We resell no software and hold no position in any project we assess, so the findings reflect your risk rather than a vendor sales target.
CONTAINMENT
Price the exposure before the deal closes.
A confidential open source license risk assessment for your deal. Independent, buyer side, paid only by you.
Independent, confidential, buyer side. See how buyers contained their exposure →