Skip to content
Policies, Procedures and Controls

Open Source Software Components Policy

Reviewed: 12/15/2025
Updated: 1/21/2025

Purpose and Scope:

Section titled “Purpose and Scope:”
  1. Using open source software (OSS) components accelerates development, improves maintainability, and reduces time to market; however certain open source licenses carry the risk of contaminating proprietary software with copyleft terms that require openly sharing the software, not being able to use for commercial use, etc.

Background:

Section titled “Background:”
  1. The Open Source Software License Policy ensures that the team is empowered to use components to deliver a better platform, security, customer experience, and time to market while eliminating the risk of open source contamination.

Controls and Procedures

Section titled “Controls and Procedures”

  1. All Open Source Software components shall be licensed under a commercially friendly, non copyleft, open source license. Acceptable licenses include:

    • BSD
    • Apache
    • MIT
    • ICS

  2. Unacceptable licenses include but are not limited to:

    • GPL
    • LGPL
    • MS-RL

  3. Any licenses not listed above must be approved by the VP of Products and Technology or the CEO and must be documented in the open source content list.

  4. Package dependencies must be scanned with a code analysis tool, such as npm audit, to identify vulnerabilities.

  5. The Open Source Software components in use must have their licenses reviewed annually to ensure compliance to the above requirements.