SERVICE
Relicensing exposure review that maps the blast radius and sizes the cost.
A relicensing exposure review tells you, plainly, what a license change costs you. When a core dependency moves from an open license to a source available one, we trace the blast radius through everything built on it and size the exposure in board language. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.
A relicensing exposure review starts where most inventories stop. Knowing that you run a relicensed component is not the same as knowing what it costs you. The review traces each affected component through your estate, direct and transitive, and separates the deployments that carry real production exposure from the ones that do not. The output is a ranked map, not a raw list.
Why a relicensing exposure review matters now
Several widely used projects have changed terms in a short window. As of August 2023 HashiCorp moved Terraform, Vault, Consul, Nomad and Packer from an open license to the Business Source License 1.1, which restricts competitive production use and converts to an open license after a delay, commonly four years. IBM later acquired HashiCorp. The community fork of Terraform is OpenTofu. Redis moved to a dual Redis Source Available License and Server Side Public License model as of March 2024, and the community fork is Valkey. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License in 2021, with the fork OpenSearch led by AWS. MongoDB moved to the Server Side Public License in 2018.
Source available is not the same as open source. The Server Side Public License and the Business Source License are not approved by the Open Source Initiative. The core enterprise risk is competitive use restrictions, copyleft and distribution obligations such as those under the GNU AGPL, and commercial license demands, all of which can apply to software already running in production. A relicensing exposure review puts a number on that risk.
What the review delivers
- A blast radius map showing every place each relicensed component runs and what depends on it.
- A cost of exposure estimate for the deployments that carry genuine risk.
- A cost to cure for each remediation path, whether that is a fork, a removal, or a negotiated commercial license.
- A ranked set of findings so the first dollar spent retires the largest risk.
How we separate exposure from noise
Not every instance of a relicensed component is a problem. A library used in an internal tool with no competitive distribution carries a very different profile from the same library embedded in a product you ship. The review reads usage in context, weighs the license trigger against how you actually deploy, and flags only what genuinely moves your risk. That discipline keeps the remediation budget pointed at the exposure that counts.
Who uses the review
The review is written for the people who carry the risk. The CISO needs the production picture, the general counsel needs the obligation map, procurement needs the negotiation baseline, and engineering leaders need a sequenced path that does not stall delivery. One review serves all four, because the same dependency tree answers all four questions.
Where the relicensing exposure review fits
Most buyers reach the review after an open source license risk assessment has mapped the full dependency tree. The assessment tells you what you run. The review tells you what the changes cost. From there the path usually runs to remediation or to a negotiated license. You can read more in the open source license risk guide and the relicensing pillar.
To see the review in practice, read how a healthcare system remediated Elastic SSPL exposure and how a logistics company migrated Elasticsearch to OpenSearch. The full case studies library shows the range of exposure we map. Our independence is the reason the numbers hold, as we explain in why our independence matters.
COMMON QUESTIONS
Questions buyers ask.
What is a relicensing exposure review?
A relicensing exposure review is a buyer side engagement that traces every place a relicensed component runs, maps the blast radius through everything built on it, and sizes the financial and operational exposure in language your board can act on.
Which license changes does the review cover?
It focuses on moves to source available terms such as the Business Source License and the Server Side Public License. As of August 2023 HashiCorp moved Terraform, Vault, Consul, Nomad and Packer to the Business Source License. Redis moved to a dual model with the Server Side Public License as of March 2024. Elasticsearch and Kibana moved in 2021. We trace the reach of each.
How is exposure quantified?
We separate true production exposure from noise, then attach a cost of exposure and a cost to cure to each finding. You receive a ranked map rather than a raw inventory, so spend follows the risk that matters.
Is a relicensing exposure review legal advice?
No. This is commercial and licensing risk advisory, not legal advice. For interpretation of license terms and compliance obligations we recommend your own counsel, and we work alongside them.
How long does a review take?
Most reviews run a few weeks depending on the size of the dependency tree and how many teams are in scope. We scope the work to the exposure you carry today rather than a fixed template.
CONTAINMENT
Size your relicensing exposure before it spreads.
A confidential relicensing exposure review. Independent, buyer side, paid only by you.
Independent, confidential, buyer side. See how buyers contained their exposure →