OpenSource Risk Experts
Map your blast radius

WHITE PAPER

The open source license risk playbook.

The open source license risk playbook is a field method for the moment a core dependency changes terms. It walks through mapping the blast radius, sizing exposure, and choosing a containment path, so the people who carry the risk can act with numbers rather than adjectives. Enter your name and work email below to read the full paper.

Jump to the download

When a project you depend on relicenses, the first hours are noisy. Someone forwards the announcement, a chat thread fills with half facts, and a leader asks the only question that matters: what does this cost us. The open source license risk playbook answers that question in a repeatable sequence, so the response is measured rather than reactive.

What the playbook covers

The paper moves from detection to prevention. It starts by explaining why a relicense creates production exposure even though nothing breaks on the day. It then sets out a method to map the blast radius across direct and transitive dependencies, separating real exposure from noise. From there it shows how to size the cost of exposure and the cost to cure, how to choose among a fork, a negotiated license, and removal, and how to prevent the next change from surprising you.

Table of contents

  • Why relicensing creates production exposure
  • Mapping the blast radius across direct and transitive dependencies
  • Sizing the cost of exposure and the cost to cure
  • Choosing a containment path: fork, negotiate, or remove
  • Negotiating a commercial license from the buyer side
  • Preventing the next relicense with policy and a current SBOM

Key takeaways

  • Source available is not open source. The Business Source License and the Server Side Public License are not approved by the Open Source Initiative, and their terms can apply to software already in production.
  • A relicense changes future terms, not the copies you already deployed, which is why the exposure is easy to miss until an upgrade, audit, or deal surfaces it.
  • The blast radius, not the component list, is what tells real exposure from noise.
  • Every finding needs a cost of exposure and a cost to cure so spend follows the largest risk.
  • Containment is a choice among a fork, a negotiated license, and removal, and most programs use a mix.
  • Prevention is the cheapest control. Policy and a current software bill of materials catch the next change at intake.

The full playbook expands each section with worked examples, a costing template, and a decision framework. It sits alongside the open source license risk guide and our open source license risk assessment service.

READ THE FULL PAPER

Get the open source license risk playbook.

Enter your name and work email. The PDF opens immediately. We accept corporate email only.

Commercial and licensing risk analysis, not legal advice. For interpretation of license terms, consult your own counsel.

COMMON QUESTIONS

Questions buyers ask.

What is in the open source license risk playbook?

The open source license risk playbook is a field method for the moment a core dependency relicenses. It covers mapping the blast radius, sizing the cost of exposure and the cost to cure, choosing a containment path, and preventing the next change from surprising you.

Who is the playbook for?

It is written for the CISO, the general counsel, procurement, and engineering leaders who carry open source license risk. Each section maps to a decision one of those roles has to make.

Why does the playbook ask for a work email?

The paper is gated so we can confirm the reader is a qualified buyer. Enter your name and a corporate email and you go straight to the PDF. Free and personal email domains are not accepted.

Is the playbook legal advice?

No. The playbook provides commercial and licensing risk analysis, not legal advice. For interpretation of license terms, consult your own counsel.