Hidden Risks in Commercial Software: [license compliance](https://licensecheck.io/guides/2025-license-risk-assessment) Failures

Real-world cases where companies faced legal action due to license violations. Learn from costly mistakes and protect your business from litigation.

By LicenseCheck.io License Expert
Published
Reading time 5 min
Commercial License Risk Enterprise Compliance Legal Risk

The Growing Risk of License Violations in Commercial Software

Companies increasingly face legal action from open source license violations, with damages reaching millions of dollars. Understanding these risks and learning from real cases is crucial for protecting your business.

High-Profile License Violation Cases

Case Study: Artifex vs. Hancom Office ($10+ Million Settlement)

Background: Hancom, a South Korean software company, used Ghostscript (AGPL licensed) in their office suite without complying with AGPL requirements. Violation:
  • Distributed proprietary software containing AGPL code
  • Failed to provide source code access
  • Did not include AGPL license notices
Outcome:
  • Settled for undisclosed amount (estimated $10+ million)
  • Required to comply with AGPL or remove Ghostscript
  • Significant reputational damage
Lesson: AGPL requires source code disclosure even for SaaS/cloud deployments.

Case Study: Oracle vs. Google (Android/Java APIs)

Background: Google used Java APIs in Android without Oracle's permission. Violation:
  • Used copyrighted API structure
  • Claimed fair use defense
  • Decade-long legal battle
Outcome:
  • Initially $8.8 billion claim
  • Supreme Court ruled in Google's favor (fair use)
  • Hundreds of millions in legal fees
Lesson: API copyright remains contentious; licensing clarity is essential.

Case Study: VMware GPL Violations

Background: VMware allegedly incorporated Linux kernel code into ESXi without proper GPL compliance. Violation:
  • Used GPL code in proprietary product
  • Failed to provide complete corresponding source
  • Disputed derivative work boundaries
Outcome:
  • Multiple lawsuits in Germany
  • Ongoing legal proceedings
  • Damaged community relations
Lesson: GPL boundaries in kernel modules remain legally complex.

Common Commercial License Risks

1. Viral License Contamination

Risk: Using GPL/AGPL code can force entire products to be open-sourced. Real Example:

A startup had to open-source their entire SaaS platform after accidentally including one AGPL library, losing their competitive advantage and ultimately shutting down.

Prevention:
  • Implement license scanning in CI/CD
  • Maintain approved license list
  • Regular dependency audits
  • Clear developer guidelines

2. Patent Infringement

Risk: Some licenses don't grant patent rights, exposing users to litigation. Real Example:

A company using MIT-licensed code faced patent lawsuit because MIT doesn't include explicit patent grants.

Prevention:
  • Prefer Apache 2.0 for patent protection
  • Review patent clauses carefully
  • Consider patent insurance
  • Conduct patent searches for critical components

3. Attribution Failures

Risk: Failing to provide required attribution can trigger lawsuits. Real Example:

Multiple companies sued for removing copyright notices from BSD-licensed code, facing statutory damages up to $150,000 per violation.

Prevention:
  • Automate attribution generation
  • Include licenses in distributions
  • Maintain attribution database
  • Regular compliance audits

4. Commercial Use Restrictions

Risk: Some "open source" licenses restrict commercial use. Examples of Problematic Licenses:
  • Commons Clause
  • Server Side Public License (SSPL)
  • Business Source License (BSL)
  • Elastic License
Real Case:

A company built their infrastructure on Redis modules, then had to rebuild when Redis added Commons Clause restrictions.

Industry-Specific Risks

Financial Services

  • Regulatory scrutiny on software supply chain
  • Audit requirements for all components
  • Data protection obligations conflict with some licenses
  • Example: Bank fined $2M for using unlicensed cryptographic software

Healthcare

  • FDA compliance requires complete software disclosure
  • HIPAA requirements may conflict with cloud-based licenses
  • medical device certification needs license clarity
  • Example: Medical device recalled due to GPL violation concerns

Automotive

  • Safety certification requires source code access
  • Tivoization concerns with GPLv3
  • Patent pools complicate licensing
  • Example: Major automaker settled for $30M over infotainment system violations

Cost Analysis of License Violations

Direct Costs

  • Legal fees: $500K - $10M+
  • Settlements: $1M - $100M+
  • Compliance remediation: $200K - $5M
  • Code replacement: $500K - $20M

Indirect Costs

  • Business disruption: Lost revenue during remediation
  • Reputation damage: Customer and partner trust
  • Market position: Competitors gain advantage
  • Technical debt: Rush to replace components

Case Study: The $30 Million Mistake

A enterprise software company discovered GPL code in their flagship product:

  1. Discovery: Customer reported GPL code presence
  2. Impact: 50,000+ installations worldwide
  3. Resolution: 18-month remediation project
  4. Total cost: $30M+ including legal, development, and settlements

Risk Mitigation Strategies

1. Implement License Compliance Program

Components:
  • Written open source policy
  • Approval process for new dependencies
  • Regular training for developers
  • Compliance officer designation
  • Incident response plan

2. Use Automated Tools

Essential Tools: 

# Continuous scanning
license-scanner --fail-on-violation

# Pre-commit hooks
git config core.hooksPath .github/hooks

# Container scanning
[Docker](/guides/docker) scan --license-check image:tag

3. Establish Review Process

Review Checklist:

4. Create License Inventory

Track for each component:
  • Component name and version
  • License type and version
  • Usage type (static/dynamic/modified)
  • Attribution requirements
  • Source location
  • Review date
  • Approval status

Emerging Risks

AI/ML Model Licensing

  • Training data licenses affect model licensing
  • GPL-trained models may be considered derivative
  • Unclear legal precedents

Container and Cloud Native

  • Multi-layer license complexity
  • Base image compliance
  • Sidecar and operator licensing

Supply Chain Attacks

  • Malicious license changes
  • Dependency confusion attacks
  • License laundering through forks

Best Practices for Commercial Organizations

1. Pre-Acquisition Due Diligence

  • Complete license audit
  • Identify GPL/AGPL components
  • Calculate replacement costs
  • Review contributor agreements

2. Vendor Management

  • Require SBOM from all vendors
  • Include indemnification clauses
  • Regular compliance audits
  • Escrow source code

3. Developer Training

  • Regular license education
  • Clear usage guidelines
  • Approved component lists
  • Escalation procedures

4. Continuous Monitoring

  • Automated daily scans
  • Dependency update reviews
  • License change detection
  • Vulnerability correlation

Conclusion

License compliance failures can destroy companies. The cases presented here represent just a fraction of ongoing litigation. With automated tools and proper processes, these risks are entirely preventable.

The cost of compliance is minimal compared to the potential losses from violations. Start with automated scanning, implement clear policies, and maintain continuous monitoring. Your business depends on it.

Take Action Now

Don't wait for a lawsuit to discover license violations. Implement automated license scanning today and protect your business from costly legal action.