Open-source software is free to download - but that’s where the economics get interesting.
Alan DeKok, CEO and Founder, InkBridge Networks
The internet runs on open source. Google is built on it. Microsoft Azure is built on it. The entire authentication infrastructure of the modern web depends on it.
None of that stops large enterprise procurement teams from approaching open source as though it were a minefield.
The concerns I hear most often are not the ones I would worry about. They are not about security vulnerabilities in dependencies, supply chain attacks, or unmaintained packages - though those are real issues and worth taking seriously (we have written about open-source supply chain risks and hardware supply chain vulnerabilities elsewhere). The concerns that stall procurement conversations are about licences, liability, and indemnification - and they are almost always based on a misunderstanding of how open-source software works economically.
Open-source licence compliance is simpler than your legal team thinks
Open-source licences have a reputation for being complicated and legally treacherous. In practice, for most organisations, it comes down to two licence families and one straightforward question: are you redistributing the software, or just using it internally?
The two families are:
BSD/MIT-style licences say that if you redistribute something based on this software, you must tell people you are using it. That is essentially the entire obligation. Go to the console of any modern car and press the licences button - you will see pages of these notices scrolling past. That is BSD/MIT compliance in action.
GPL-style licences say that if you redistribute something based on this software, you must also make the source code available to the people you distribute it to.
The critical word in both cases is redistribute. If you are using open-source software inside your organisation - running it on your servers, using it to authenticate your users, building it into your internal infrastructure - and no one outside your organisation touches it, the licence terms of either family are largely irrelevant to you. You are not redistributing anything. The viral properties that people fear in the GPL do not apply to internal use.
This is no different from the Microsoft Windows licence. There are hundreds of pages of text in that licence. None of it changes what you do internally on your network or how you sell your own products. Open source works the same way.
There are edge cases - the Affero GPL has provisions that extend to software offered as a service over a network - but for the overwhelming majority of enterprises running this software internally, open-source licence compliance requires essentially nothing of them.
The warranty question: “no warranty expressed or implied”
Every open-source licence includes a clause that reads something like: the software is provided “as is”, without warranty of any kind, express or implied.
This surprises people who are used to commercial software agreements that include performance guarantees and remediation obligations. The surprise is understandable, but the clause makes sense once you understand the economics.
When you download open-source software for free, you are not entering into a contract with anyone. There is no consideration changing hands. There is no agreement to perform. There is, therefore, no basis for a warranty claim, and no one to make it against.
I sometimes get asked: “But what if it breaks? Who do I sue?”
The
honest answer is: who would you sue, and what would you tell the judge?
“I found this software on the internet. When I put it on my systems, it
did not do what I wanted.” Lawsuits are grounded in contractual
relationships and payments. You have neither with an open-source project.
The open-source software provides full indemnification up to the limit of what you paid for it - which is zero.
None of this means open-source software is unreliable. FreeRADIUS has been in continuous production use for 25 years. It handles authentication for networks with millions of users. The absence of a warranty is not a statement about quality; it is a statement about the economics of free software.
Worth subscribing to.
Worth reading.
Our weekly newsletter covers network authentication tips, how-tos, security vulnerabilities, free resources, standards updates, and industry news. (All stuff you should stay up to date on!)
The indemnification conversation
This is where the conversations get circular.
A large enterprise finds FreeRADIUS. They like it. They like the price (free). Then procurement gets involved, and they come back with a requirement for unlimited indemnification - meaning that if someone sues them for patent infringement related to the software, we cover all their legal costs, no cap. They also want full liability coverage for any technical failures. And they want to pay $5,000 to $10,000 for the contract.
I have had this conversation with companies whose legal department budget exceeds our entire corporate revenue. I understand what they want. I cannot give it to them.
Here is why. Indemnification and liability coverage are, economically, a form of insurance. Insurance is priced relative to the risk being covered and the resources available to cover it. We are not a billion-dollar company with an army of lawyers on retainer and a war chest of patents to defend against infringement claims. We are a specialist firm. Our liability is covered by insurance, and that insurance has a reasonable limit.
Beyond that, there is a structural issue specific to open source: we do not own the copyright to FreeRADIUS in its entirety. It is a community project. We cannot grant you licence terms for software we do not wholly own any more than we can grant you the right to redistribute Windows under different terms. When you download FreeRADIUS, you receive it under the terms of its open source licence - direct from the community, not from us. We can support it, configure it, extend it, and customise it. We cannot change the licence.
So what can I offer? I can offer limited liability, capped at a reasonable amount tied to the value of the contract and the coverage our insurance supports. And I can be direct: if the requirement is truly unlimited indemnification, that is available. We add a zero or two to the price, use the additional revenue to purchase the necessary insurance coverage, and proceed. You can have open-source pricing and limited liability, or you can have enterprise pricing and enterprise liability terms. You cannot have both.
You do not get unlimited indemnification from Microsoft when you buy Windows. I am fairly confident that Windows presents a larger attack surface than a RADIUS server. The principle is the same.
What you are paying for when you pay us
When a customer engages InkBridge Networks, they are not purchasing FreeRADIUS. FreeRADIUS is free. They are purchasing our expertise, our support, our proprietary tooling built on top of FreeRADIUS - things like orchestration, management, and monitoring capabilities that make it practical to run FreeRADIUS at enterprise scale - and the accumulated knowledge of 25 years building and maintaining the software.
For our proprietary software - InkBridge RADIUS and related tools - we can offer normal commercial terms, because we own the intellectual property. We can negotiate licence terms. We accept the standard liability provisions that come with any commercial software agreement, within the limits of what a firm of our size can reasonably support.
For work we do around FreeRADIUS itself - support, configuration, customisation - the open-source licence terms apply to the software. Our liability for the work we do is reasonable and contractually defined. Our liability for software you downloaded for free from the internet is, structurally, zero - because that is the deal you made when you chose not to pay for it.
This is not unusual or unfair. It is the economics of open source, stated plainly.
Building in security
A word on the security and supply chain risks of open source, because they do matter and we take them seriously. The risks that OWASP, security researchers, and supply chain analysts document - vulnerable dependencies, unmaintained packages, compromised distribution channels, AI-generated contributions with subtle flaws - are real. They are also addressable through engineering practice rather than contract terms.
We PGP-sign all FreeRADIUS releases. We have been doing so for decades. We maintain active development on the software. We follow the principles of secure network architecture that we document and publish for our customers. We build software that is secure by design, not because a contract requires it, but because that is how we build software.
The difference between security risks and commercial risks is that security risks can be engineered away (for the most part). Commercial risks are a function of the economic model you have chosen. Opting for open source is a legitimate and, for most organisations, excellent choice - provided you understand what you are choosing.
Need more help?
If your team is wrestling with network authentication, a troubleshooting problem you can't resolve, or a system that needs to be more resilient, we can help. InkBridge Networks has 25 years of experience navigating these conversations - we wrote the RADIUS standards, we maintain FreeRADIUS, and we have see every failure mode there is. Reach out to request a quote.
Related Articles
Cisco ISE alternatives: 2026 comparison & buyer's guide
Compare pricing, features, and migration paths for top network access control alternatives to Cisco ISE.
Why open-source software wins at proof of concept
I've watched a lot of CTOs react to technical demonstrations over 25 years. Most nod politely and move on. Some ask good questions. One even walked out of the room when he saw a demonstration of Open Source.