Open Source Software: free vs. commercial licensing

by Toly Lebedev

The open source movement has significantly changed the software industry over the last decade. Nowadays, open source projects are available for almost any functionality you can imagine. That gives everybody a lot of freedom; businesses as well as individuals, because there are many alternatives to choose from. So, when a business makes a decision to choose a software for its product or operation, what criteria should be considered?

Well, there are several: costs, quality, security and feature completeness. Depending on the use case, some will be more important than others.

However, when businesses integrate 3rd party software into a customer-facing product, there is a strong motivation to choose software that is backed by a company and here are the reasons why:

Cost

Usually comprises of a one-off integration cost plus running costs:

Total Cost = (License Fee) + (Integration Cost) + (Maintenance/Support/Bugfix Cost)

Open source projects that are not backed by a company, often provide liberal licenses. So the License Fee is zero, but they DO NOT provide any integration help or a guaranteed maintenance bugfix service. This means a business will need to spend its own resources to maintain, support and fix bugs which regularly significantly exceed the initial estimations and end up as a notable expense.

On the other hand, open source software that is backed by a company often does both. This drives the total cost down, and sometimes substantially lower, compared to non-commercial projects, despite the fact they charge a License Fee.

Security, user base and brand protection

Any software is vulnerable to future security attacks. Nobody can guarantee their software is completely bug-free. When a security research group finds a vulnerability in a software, they contact the software vendor, and after some period (usually 90 days) the vulnerability is made public. Releasing information about a security hole brings a major risk to businesses, since a hacker would have potentially all the information to compromise vulnerable systems. It is critical that a business takes action prior to the vulnerability release.

Let's look at the case of when a security hole is found in an open source project which is not backed by a company. Depending on the project activity and size, a security hole may or may not be fixed promptly - there is no guarantee. But most importantly, such a project will NOT explicitly notify its users about the issue, since the project owners do not have an exact idea who their users are. So, a business that uses 3rd party software not backed by a company risks to find out about a security hole at the time when the vulnerability information goes public - and that's too late.

On the other hand, when an open source project is backed by a company, fixing the security hole and notifying customers is a top priority, long before the vulnerability information goes public. In that case, the user base and corporate brand would stay protected.

Summary

All in all, if you're a business and want to integrate 3rd party software into your customer-facing product, choose software that is backed by a company.

At Cesanta, we develop best in class software for network communication: Mongoose Embedded Web Server Library. It is open source, and backed by a commercial entity - us! Our goal is to keep them as the best on the market and make sure we taking a load of managing network communication issues for our customers, so they can take care of their own product development plans.

To contact: send us a message or ask on the developer forum.