Open source remediation services that contain exposure and reroute to safe ground.

What open source remediation services do

A relicense rarely arrives with a clean exit. The component is already in production, woven through build pipelines, internal platforms, and shipped products. Open source remediation services exist to remove that exposure without breaking what runs on top of it. We start from a complete map of where the affected component sits, then design and sequence the work that takes you to a defensible end state.

The relicensing wave that began in 2023 made this work routine. HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1 as of August 2023. Redis moved to a dual Redis Source Available License and Server Side Public License model as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License and the Elastic License as of 2021, and MongoDB moved to the Server Side Public License in 2018. Source available is not the same as open source, and none of these are OSI approved. Each change can reach software already running in your estate.

We work only from the buyer side. We take no fee from any vendor and we sell no software, so the remediation plan reflects your interest and nothing else. The result is a path your engineering leaders can build and your counsel can sign off on.

When do you need remediation rather than an assessment?

An assessment tells you where the exposure sits and how large it is. Remediation is the work of removing it. You cross from one to the other the moment a component you depend on has moved to a source available license and your current use falls outside the new terms. The trigger is usually competitive use language, a copyleft or distribution obligation, or a demand to take a paid commercial license for usage you previously ran for free.

If you have not yet mapped your exposure, start with an open source license risk assessment. It gives remediation its starting point: a dependency tree that shows every node, its license state, and the blast radius around the components that changed.

The options we weigh: fork, replace, or pay

Most remediation reduces to three doors. The first is a community fork. OpenTofu carries Terraform forward under an open license, Valkey forks Redis, and OpenSearch forks Elasticsearch. A fork is often the cleanest exit, but only after we confirm feature parity, support continuity, and a credible security patch path. The second door is replacement, where a different component does the same job under terms you can live with. The third is a negotiated commercial license, which is the right answer when the incumbent is too deep to move and the price can be brought down to match your real usage.

We do not arrive with a favorite. We score each door on engineering effort, license posture, operational risk, and timeline, then recommend the one that holds for your estate. Where a negotiation is the answer, we hand off to open source commercial license negotiation so you do not face the list price alone.

How a remediation engagement runs

We begin from your assessment, or run one first if you do not have it. From there we produce a containment plan that ranks the affected components by exposure and sets the order of work, so the largest risk is closed first and nothing breaks downstream. We then design the target state for each component, prove it against your environment, and sequence a migration your teams can execute alongside their normal delivery. Throughout, we keep a defensible record of what changed and when, which is the same evidence that answers a vendor inquiry or an audit later.

The deliverables are plain: a prioritized containment plan, a target state per component, a sequenced roadmap, and an evidence pack. None of it is theoretical. Every recommendation names the cost to cure and the residual risk if you defer.

Where remediation fits the wider picture

Remediation is one move in a longer game. To understand the license families that drive these changes, read the pillar guides on open source license risk and license change and relicensing. For the vendor specific picture, see HashiCorp and Terraform and Redis, Elastic, and database relicensing.

For how this plays out in practice, see how a retailer built its first open source license inventory, how a bank negotiated HashiCorp enterprise terms after the IBM deal, and the rest of our case studies.