Open Source Software Components Policy
2025.1
Reviewed: 1/21/2025
Updated: 1/21/2025
Purpose and Scope:
- Using open source software (OSS) components accelerates development, improves maintainability, and reduces time to market; however certain open source licenses carry the risk of contaminating proprietary software with copyleft terms that require openly sharing the software, not being able to use for commercial use, etc.
Background:
- The Open Source Software License Policy ensures that the team is empowered to use components to deliver a better platform, security, customer experience, and time to market while eliminating the risk of open source contamination.
Controls and Procedures
All Open Source Software components shall be licensed under a commercially friendly, non copyleft, open source license. Acceptable licenses include:
- BSD
- Apache
- MIT
- ICS
Unacceptable licenses include but are not limited to:
- GPL
- LGPL
- MS-RL
Any licenses not listed above must be approved by the VP of Products and Technology or the CEO and must be documented in the open source content list.
Package dependencies must be scanned with a code analysis tool, such as npm audit, to identify vulnerabilities.
The Open Source Software components in use must have their licenses reviewed annually to ensure compliance to the above requirements.