stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

fix tests. new product advisories enhancements

Browse Source
This commit is contained in:
master
2026-01-25 19:11:36 +02:00
parent c70e83719e
commit 6e687b523a
504 changed files with 40610 additions and 3785 deletions
Download Patch File Download Diff File Expand all files Collapse all files

219
docs/legal/COMPLIANCE_ATTESTATION_FORM.md Normal file
View File

@@ -0,0 +1,219 @@
# Compliance Attestation Form
**Document Version:** 1.0.0
**Last Updated:** 2026-01-25
This document describes the compliance attestation process for Stella Ops Community
Plugin Grant users. For a fillable template, see `templates/self-attestation-form.md`.
---
## 1. Purpose
The compliance attestation process allows organizations to demonstrate compliance
with the Stella Ops Community Plugin Grant without enabling telemetry or undergoing
formal audit. It provides a trust-based mechanism for license compliance verification.
---
## 2. Who Should Attest
Annual attestation is recommended for:
- Organizations using Stella Ops in production
- Deployments approaching free tier limits (2+ environments, 500+ scans/day)
- Organizations with data governance policies prohibiting telemetry
- MSPs managing customer deployments
Attestation is **not required** for:
- Non-production or evaluation use
- Single-environment deployments well within limits
- Organizations with active telemetry enabled
---
## 3. Attestation Components
### 3.1 Operator Information
| Field | Description | Example |
|-------|-------------|---------|
| Organization Name | Legal entity name | Acme Corporation |
| Contact Name | Primary compliance contact | Jane Smith |
| Contact Email | Email for compliance communications | compliance@acme.com |
| Installation ID | From admin dashboard (optional) | inst_abc123xyz |
| Attestation Date | Date form completed | 2026-01-25 |
### 3.2 Usage Declaration
Declare current usage levels:
**Environment Count:**
- [ ] 1 Environment
- [ ] 2 Environments
- [ ] 3 Environments (maximum free tier)
- [ ] More than 3 Environments (requires commercial license)
**Scan Volume (peak 24-hour period in past year):**
- [ ] Under 100 scans/day
- [ ] 100-499 scans/day
- [ ] 500-999 scans/day (maximum free tier)
- [ ] Over 999 scans/day (requires commercial license)
### 3.3 Distribution Declaration
If redistributing Stella Ops or Plugins:
- [ ] We do not redistribute Stella Ops or Plugins
- [ ] We redistribute with LICENSE and NOTICE files preserved
- [ ] We redistribute Plugins only (not core Stella Ops)
- [ ] We include this Addendum verbatim in all distributions
- [ ] We do not offer Stella Ops as a competing managed service
### 3.4 SaaS/MSP Declaration
Select the applicable scenario:
- [ ] **Internal Use Only:** Stella Ops is used only by our employees/contractors
- [ ] **MSP Single-Tenant:** We host isolated instances for customers (license details below)
- [ ] **Not Applicable:** We do not provide hosted services
If MSP Single-Tenant, specify:
- Number of customer instances: ___
- License type per instance:
- [ ] Each customer has own license
- [ ] Our commercial license covers all instances
- [ ] Mix (specify below)
---
## 4. Certification Statement
By submitting this attestation, the undersigned certifies that:
1. The information provided is accurate to the best of their knowledge
2. The organization's use of Stella Ops complies with BUSL-1.1 and the Community
Plugin Grant
3. They have authority to make this attestation on behalf of the organization
4. They understand that false attestation may result in license termination
---
## 5. Submission Process
### Step 1: Download Template
Copy the template from `docs/legal/templates/self-attestation-form.md`
### Step 2: Complete Form
Fill in all required fields. Use "N/A" for non-applicable sections.
### Step 3: Internal Review
Have appropriate internal stakeholders review:
- Legal/Compliance team
- IT/Platform team (for technical accuracy)
- Management (for authorization)
### Step 4: Submit
Send completed form to: compliance@stella-ops.org
**Subject line:** `Compliance Attestation - [Organization Name] - [Year]`
### Step 5: Confirmation
- Acknowledgment within 10 business days
- Confirmation letter issued if attestation accepted
- Follow-up questions if clarification needed
---
## 6. Renewal
### 6.1 Annual Renewal
Attestation should be renewed annually:
- **Preferred:** Within 30 days of attestation anniversary
- **Grace period:** 60 days after anniversary
- **Reminder:** stella-ops.org will send reminder 30 days before due date
### 6.2 Material Changes
Submit updated attestation within 30 days if:
- Environment count increases
- Scan volume regularly exceeds 80% of limit
- Organization structure changes (merger, acquisition)
- Deployment model changes (internal to MSP)
---
## 7. Record Retention
### 7.1 Attestor Retention
Organizations should retain:
- Copy of submitted attestation
- Supporting documentation (usage reports, dashboard screenshots)
- Confirmation letter from stella-ops.org
**Recommended retention period:** 5 years
### 7.2 stella-ops.org Retention
stella-ops.org retains:
- Submitted attestations: 5 years
- Confirmation letters: Indefinitely
- Supporting communications: 3 years
---
## 8. Frequently Asked Questions
### Q: Is attestation mandatory?
**A:** No. Attestation is voluntary and recommended. It provides documented evidence
of compliance in case of future questions.
### Q: What if our usage changes after attesting?
**A:** Submit an updated attestation within 30 days of material changes. Good-faith
updates are appreciated and do not trigger penalties.
### Q: Can we attest for multiple installations?
**A:** Yes. Use one form per installation, or contact compliance@stella-ops.org for
a consolidated form for large deployments.
### Q: What happens if we can't attest to compliance?
**A:** Contact sales@stella-ops.org to discuss commercial licensing options. There's
no penalty for recognizing a need to upgrade.
### Q: Is the attestation legally binding?
**A:** The attestation is a representation of fact. Knowingly false attestation may
result in license termination. However, good-faith errors with prompt correction
are not penalized.
---
## 9. Contact
**Attestation submissions:**
compliance@stella-ops.org
**Questions about the process:**
legal@stella-ops.org
**Commercial licensing:**
sales@stella-ops.org
---
## See Also
- `templates/self-attestation-form.md` - Fillable template
- `ENFORCEMENT_TELEMETRY_POLICY.md` - Audit and telemetry details
- `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Full legal terms
---
*Document maintained by: Legal + Compliance Team*
*Last review: 2026-01-25*

299
docs/legal/ENFORCEMENT_TELEMETRY_POLICY.md Normal file
View File

@@ -0,0 +1,299 @@
# Enforcement and Telemetry Policy
**Document Version:** 1.0.0
**Last Updated:** 2026-01-25
This document describes how stella-ops.org verifies compliance with the Community
Plugin Grant and free tier limits, including audit rights, telemetry options, and
privacy safeguards.
---
## 1. Compliance Philosophy
Stella Ops is committed to:
1. **Trust-based compliance** - We assume good faith from our users
2. **Minimal intrusion** - Verification should not burden legitimate users
3. **Privacy by design** - No collection of customer content or sensitive data
4. **Transparency** - Clear documentation of what we collect and why
---
## 2. Audit Rights
### 2.1 When Audits May Occur
stella-ops.org reserves the right to request compliance verification:
- **Frequency:** No more than once per calendar year per licensee
- **Notice:** Minimum 30 days written notice
- **Scope:** Limited to verification of Environment count and Scan volume
- **Trigger:** Audits may be initiated based on:
- Routine sampling of licensees
- Credible reports of non-compliance
- Self-reported concerns from licensees
### 2.2 Audit Process
**Step 1: Notice**
- Written notice via email to registered contact
- Specifies audit scope and requested documentation
- Provides minimum 30-day response window
**Step 2: Documentation Request**
- Licensee provides requested information:
- Number of active Environments
- Scan volume metrics (e.g., from Stella Ops admin dashboard)
- Deployment architecture summary
- No access to scan content, vulnerabilities, or business data required
**Step 3: Review**
- stella-ops.org reviews submitted documentation
- May request clarification on ambiguous items
- Typically completed within 15 business days
**Step 4: Resolution**
- Compliant: Written confirmation provided
- Minor variance: Grace period to remediate
- Significant non-compliance: Commercial license discussion
### 2.3 Audit Safeguards
All audits are conducted with:
- **Confidentiality:** All submitted information treated as confidential business
information under mutual NDA
- **Data protection:** GDPR-compliant handling of any personal data
- **Limited retention:** Audit documentation retained for maximum 3 years
- **No content access:** We never request access to scan results, source code,
or customer business data
---
## 3. Voluntary Telemetry
### 3.1 Telemetry Overview
Stella Ops provides an **optional** telemetry endpoint for users who wish to
automate compliance reporting.
**Key principles:**
- **Strictly opt-in:** Disabled by default
- **Aggregate metrics only:** No detailed scan data
- **Privacy-respecting:** No PII or customer content
- **User-controlled:** Can be disabled at any time
### 3.2 What Telemetry Collects (When Enabled)
| Metric | Description | Purpose |
|--------|-------------|---------|
| `installation_id` | Anonymous installation identifier | Deduplicate reports |
| `environment_count` | Number of active environments | License compliance |
| `scan_count_24h` | Scans in rolling 24-hour period | License compliance |
| `version` | Stella Ops version | Compatibility/support |
| `timestamp` | Report timestamp | Time-series analysis |
### 3.3 What Telemetry Does NOT Collect
- Scan results or vulnerability data
- Customer names or identifiers
- IP addresses (beyond transport layer)
- Source code or artifact contents
- User credentials or tokens
- Business-sensitive configuration
### 3.4 Enabling/Disabling Telemetry
**To enable:**
```yaml
# In stella-ops.yaml
telemetry:
enabled: true
endpoint: https://telemetry.stella-ops.org/v1/report
```
**To disable (default):**
```yaml
telemetry:
enabled: false
```
**Environment variable override:**
```bash
STELLAOPS_TELEMETRY_ENABLED=false
```
### 3.5 Telemetry Data Handling
- **Transmission:** TLS 1.3 encrypted
- **Storage:** Aggregated and anonymized within 24 hours
- **Retention:** Raw reports retained for maximum 90 days
- **Access:** Limited to license compliance team
- **No sale:** Never sold or shared with third parties
---
## 4. Self-Attestation
### 4.1 Overview
As an alternative to telemetry, licensees may provide annual self-attestation
of compliance. This is the recommended approach for organizations with strict
data governance requirements.
### 4.2 Attestation Process
1. **Download form:** `docs/legal/templates/self-attestation-form.md`
2. **Complete attestation:** Fill in required fields
3. **Submit:** Email to compliance@stella-ops.org
4. **Confirmation:** Receive acknowledgment within 10 business days
### 4.3 Attestation Frequency
- **Annual:** Submit once per calendar year
- **Upon request:** May be requested as part of audit
- **Voluntary updates:** Submit anytime if circumstances change
### 4.4 False Attestation
Knowingly providing false attestation information may result in:
- Immediate termination of license rights
- Requirement to obtain commercial license
- Potential legal action for license violation
---
## 5. Compliance Verification Methods
### 5.1 Recommended: Built-in Dashboard
Stella Ops includes a compliance dashboard at `/admin/compliance`:
```
Compliance Status
─────────────────
License Type: Community (Free Tier)
Environments: 2 of 3 (within limit)
Scans (24h): 456 of 999 (within limit)
Status: COMPLIANT
```
This dashboard can be used to:
- Monitor current usage against limits
- Generate compliance reports for audit
- Export metrics for self-attestation
### 5.2 API-Based Verification
Compliance metrics are available via API:
```bash
curl -H "Authorization: Bearer $ADMIN_TOKEN" \
https://your-instance/api/v1/admin/compliance/metrics
```
Response:
```json
{
"environment_count": 2,
"environment_limit": 3,
"scan_count_24h": 456,
"scan_limit_24h": 999,
"compliant": true,
"timestamp": "2026-01-25T14:30:00Z"
}
```
### 5.3 Log-Based Verification
For organizations that prefer log analysis:
```bash
# Extract compliance metrics from logs
grep "compliance_check" /var/log/stellaops/audit.log | tail -1
```
---
## 6. Remediation
### 6.1 Exceeding Limits
If you discover you've exceeded free tier limits:
1. **Immediate:** Usage may be throttled (see `30_QUOTA_ENFORCEMENT_FLOW1.md`)
2. **Short-term:** Reduce environments or scan volume to return to compliance
3. **Long-term:** Obtain commercial license for ongoing needs
### 6.2 Grace Period
For good-faith limit exceedances:
- **First occurrence:** 30-day grace period to remediate
- **Repeated occurrence:** 15-day grace period
- **Intentional abuse:** No grace period; commercial license required immediately
### 6.3 Commercial License Transition
If you need to exceed free tier limits:
- Contact sales@stella-ops.org
- Licenses can be backdated to cover grace period
- No penalty for good-faith users who remediate promptly
---
## 7. Privacy Commitments
stella-ops.org commits to the following privacy principles:
### 7.1 Data Minimization
We collect only the minimum data necessary for license compliance verification.
### 7.2 Purpose Limitation
Compliance data is used only for license verification, never for marketing or
sold to third parties.
### 7.3 User Control
- Telemetry is opt-in only
- Self-attestation is always available as alternative
- Users can request deletion of any collected data
### 7.4 GDPR Compliance
For EU users:
- Data Processing Agreement (DPA) available upon request
- Right to access, rectify, and delete data
- Data stored in EU-based infrastructure when EU endpoint selected
### 7.5 Contact
For privacy-related inquiries:
- Email: privacy@stella-ops.org
- DPO: dpo@stella-ops.org (EU users)
---
## 8. Questions and Support
**Compliance questions:**
- Email: compliance@stella-ops.org
**Technical questions about telemetry:**
- Documentation: `docs/admin/telemetry.md`
- Support: support@stella-ops.org
**Commercial licensing:**
- Email: sales@stella-ops.org
---
## See Also
- `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Full legal terms
- `docs/legal/30_QUOTA_ENFORCEMENT_FLOW1.md` - Quota enforcement behavior
- `docs/legal/templates/self-attestation-form.md` - Attestation form
- `docs/admin/telemetry.md` - Technical telemetry configuration
---
*Document maintained by: Legal + Privacy Office*
*Last review: 2026-01-25*

25
docs/legal/LEGAL_FAQ_QUOTA.md
View File

@@ -1,4 +1,4 @@
# Legal FAQ <EFBFBD> Free-Tier Quota & BUSL-1.1 Additional Use Grant
# Legal FAQ - Free-Tier Quota & BUSL-1.1 Additional Use Grant
> **Operational behaviour (limits, counters, delays) is documented in**
> [`30_QUOTA_ENFORCEMENT_FLOW1.md`](30_QUOTA_ENFORCEMENT_FLOW1.md).
@@ -6,6 +6,12 @@
> service or embedding it into another product while the free-tier limits are
> in place.
> **Plugin developers:** See [`PLUGIN_DEVELOPER_FAQ.md`](PLUGIN_DEVELOPER_FAQ.md)
> for plugin-specific licensing questions.
>
> **MSPs and SaaS providers:** See [`SAAS_MSP_GUIDANCE.md`](SAAS_MSP_GUIDANCE.md)
> for detailed hosting scenarios.
---
## 1 ? Does enforcing a quota violate BUSL-1.1?
@@ -45,7 +51,7 @@ obtained. Proprietary integration code does not have to be disclosed.
The BUSL-1.1 Additional Use Grant prohibits providing Stella Ops as a hosted or
managed service to third parties. SaaS/hosted use requires a commercial license.
## 5 <20> Is e-mail collection for the JWT legal?
## 5 <20> Is e-mail collection for the JWT legal?
* **Purpose limitation (GDPR Art. 5-1 b):** address is used only to deliver the
JWT or optional release notes.
@@ -58,10 +64,23 @@ Hence the token workflow adheres to GDPR principles.
---
## 6 <20> Change-log
---
## See Also
- [`PLUGIN_DEVELOPER_FAQ.md`](PLUGIN_DEVELOPER_FAQ.md) - Plugin development and distribution questions
- [`SAAS_MSP_GUIDANCE.md`](SAAS_MSP_GUIDANCE.md) - SaaS and MSP hosting scenarios
- [`ENFORCEMENT_TELEMETRY_POLICY.md`](ENFORCEMENT_TELEMETRY_POLICY.md) - Audit and telemetry details
- [`COMPLIANCE_ATTESTATION_FORM.md`](COMPLIANCE_ATTESTATION_FORM.md) - Self-attestation process
- [`LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md`](../../LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md) - Full addendum text
---
## 6 - Change-log
| Version | Date | Notes |
|---------|------|-------|
| **3.1** | 2026-01-25 | Added cross-references to Community Plugin Grant documentation. |
| **3.0** | 2026-01-20 | Updated for BUSL-1.1 Additional Use Grant. |
| **2.1** | 2026-01-20 | Updated for Apache-2.0 licensing (superseded by BUSL-1.1 in v3.0). |
| **2.0** | 2025-07-16 | Removed runtime quota details; linked to new authoritative overview. |

47
docs/legal/LICENSE-COMPATIBILITY.md
View File

@@ -126,6 +126,41 @@ The following are considered **aggregation**, not derivation:
**Rationale:** These components communicate via network protocols, APIs, or standard interfaces and are not linked into StellaOps binaries.
### 3.5 Plugin Distribution (Community Plugin Grant)
The Community Plugin Grant Addendum (`LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md`)
provides additional terms for plugin development and distribution.
**When distributing StellaOps Plugins:**
```
Plugin Distribution
+-- Plugin code (your license)
+-- Attribution to StellaOps
+-- If derivative work:
+-- LICENSE (BUSL-1.1)
+-- LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md
+-- NOTICE.md
```
**Requirements by Plugin Type:**
| Plugin Type | License | Attribution | Include LICENSE | Include Addendum |
|-------------|---------|-------------|-----------------|------------------|
| API-only (no StellaOps code) | Your choice | Recommended | No | No |
| Includes StellaOps code | BUSL-1.1 | Required | Yes | Yes |
| Bundled with StellaOps | BUSL-1.1 | Required | Yes | Yes |
| Competing managed service | Commercial | N/A | N/A | N/A |
**Not Allowed Without Commercial License:**
- Redistributing plugins as part of a competing managed service offering
- White-labeling StellaOps functionality through plugins
- Embedding plugins in multi-tenant SaaS offerings to third parties
**See Also:**
- `docs/legal/PLUGIN_DEVELOPER_FAQ.md` - Detailed plugin licensing FAQ
- `docs/legal/SAAS_MSP_GUIDANCE.md` - SaaS and MSP hosting scenarios
---
## 4. Specific Dependency Analysis
@@ -289,8 +324,18 @@ Sample configuration files (`etc/*.yaml.sample`) are:
- [Apache 2.0 FAQ](https://www.apache.org/foundation/license-faq.html)
- [SPDX License List](https://spdx.org/licenses/)
- [REUSE Best Practices](https://reuse.software/tutorial/)
- [BUSL-1.1 License Text](https://spdx.org/licenses/BUSL-1.1.html)
---
## 9. Related Documents
- `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Community Plugin Grant Addendum
- `docs/legal/PLUGIN_DEVELOPER_FAQ.md` - Plugin developer FAQ
- `docs/legal/SAAS_MSP_GUIDANCE.md` - SaaS and MSP guidance
- `docs/legal/ENFORCEMENT_TELEMETRY_POLICY.md` - Audit and compliance policy
---
*Document maintained by: Legal + Security Guild*
*Last review: 2026-01-20*
*Last review: 2026-01-25*

291
docs/legal/PLUGIN_DEVELOPER_FAQ.md Normal file
View File

@@ -0,0 +1,291 @@
# Plugin Developer FAQ
**Document Version:** 1.0.0
**Last Updated:** 2026-01-25
This FAQ addresses common questions from plugin developers working with the Stella Ops
Community Plugin Grant. For the full legal terms, see `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md`
in the repository root.
---
## General Questions
### Q1: What constitutes a "Plugin" under the Community Plugin Grant?
**A:** A Plugin is a separately packaged extension that interfaces with Stella Ops using
documented public plugin APIs or integration points. This includes:
**Examples of Plugins:**
- Custom vulnerability connectors (e.g., integrating a proprietary vulnerability database)
- CI/CD integrations (e.g., Jenkins, GitLab CI, Azure DevOps plugins)
- Output formatters (e.g., custom report templates, dashboard integrations)
- Notification connectors (e.g., Slack, Teams, PagerDuty integrations)
- Scanner analyzers (e.g., language-specific dependency parsers)
- Policy gates (e.g., custom compliance rules)
**NOT Plugins (derivative works requiring BUSL-1.1 compliance):**
- Modifications to Stella Ops core source code
- Forks that include modified Stella Ops components
- Extensions that copy substantial portions of Stella Ops internals
### Q2: Can I sell my plugin commercially?
**A:** Yes. You may develop and sell plugins commercially under license terms of your
choosing (including proprietary terms), provided:
1. Your plugin does not include, copy, or modify Stella Ops source code; AND
2. You comply with the attribution requirements (see Q4).
Your commercial plugin license is entirely separate from the BUSL-1.1 license covering
Stella Ops itself.
### Q3: Do I need to open-source my plugin?
**A:** No. Plugins that interface with Stella Ops through public APIs do not need to be
open-sourced. You may use any license you choose, including proprietary licenses.
**Exception:** If your plugin includes, copies, or modifies any portion of Stella Ops
source code, it becomes a derivative work subject to BUSL-1.1.
### Q4: What attribution is required when distributing a plugin?
**A:** When distributing a plugin, you should:
1. **Acknowledge compatibility:** State that your plugin is designed for use with
Stella Ops (e.g., "Compatible with Stella Ops Suite")
2. **Include license reference:** If your plugin distribution includes any Stella Ops
components (even configuration samples), include the LICENSE and NOTICE files
3. **Link to source:** Provide a link to the Stella Ops source repository
(https://git.stella-ops.org)
**Minimum attribution example:**
```
This plugin is designed for use with Stella Ops Suite.
Stella Ops is licensed under BUSL-1.1. See https://git.stella-ops.org
```
---
## Usage Limits
### Q5: What counts as an "Environment"?
**A:** An Environment is a logically separated workspace within a Stella Ops installation.
The free tier allows up to 3 Environments per installation.
**Each of these counts as one Environment:**
- A "Development" environment for testing scans
- A "Staging" environment for pre-production validation
- A "Production" environment for live deployments
- A tenant/workspace in a multi-tenant setup
- A project or team workspace with isolated configuration
**These do NOT count as separate Environments:**
- High-availability replicas of the same environment
- Read replicas or cache nodes
- Backup/disaster recovery instances (if not actively used)
**Example scenarios:**
| Scenario | Environment Count |
|----------|------------------|
| Single dev laptop installation | 1 |
| Dev + Staging + Prod for one team | 3 |
| Two separate teams, each with Dev + Prod | 4 (requires commercial license) |
| MSP hosting 5 isolated customer instances | 5 (requires commercial license) |
### Q6: What counts as a "Scan"?
**A:** A Scan is one completed execution of Stella Ops' vulnerability or artifact analysis
pipeline that produces a new result. The free tier allows up to 999 Scans per calendar day.
**Counts as a Scan:**
- First-time scan of a container image (new hash)
- Re-scan of a modified image (hash changed)
- SBOM generation for a new artifact
- VEX statement generation for new findings
**Does NOT count as a Scan:**
- Cache hits (retrieving previously scanned results)
- Viewing existing scan reports
- Policy evaluation on cached data
- API queries for existing results
**Deduplication:** Stella Ops uses hash-based deduplication. Scanning the same artifact
multiple times only counts as one Scan if the hash hasn't changed.
### Q7: What happens if my users exceed the free limits?
**A:** If users of your plugin exceed the free tier limits (3 Environments or 999 Scans/day):
1. **They need a commercial license** - The user (not the plugin developer) is responsible
for licensing compliance
2. **Your plugin continues to work** - There's no technical enforcement in the plugin itself
3. **Quota enforcement is server-side** - Stella Ops may introduce delays after limits
are exceeded (see `docs/legal/30_QUOTA_ENFORCEMENT_FLOW1.md`)
As a plugin developer, you should:
- Document the free tier limits in your plugin documentation
- Recommend users contact stella-ops.org for commercial licensing if they exceed limits
- Not build quota circumvention into your plugin
---
## Bundling & Distribution
### Q8: Can I bundle Stella Ops core with my plugin?
**A:** This depends on how you bundle:
**Allowed (aggregation):**
- Shipping your plugin alongside Stella Ops as separate components
- Docker Compose files that reference Stella Ops images
- Helm charts that deploy Stella Ops as a dependency
- Installation scripts that download Stella Ops separately
**Requires BUSL-1.1 compliance (derivative work):**
- Embedding Stella Ops source code into your plugin
- Modifying Stella Ops binaries and redistributing
- Creating a single binary that includes Stella Ops components
**Requires commercial license:**
- Bundling into a competing managed service offering
- White-labeling Stella Ops functionality
### Q9: Can I create a plugin that modifies Stella Ops behavior at runtime?
**A:** Yes, if the modification uses documented extension points:
**Allowed:**
- Plugins that register custom handlers via plugin APIs
- Extensions that add new endpoints or processing steps
- Integrations that intercept and transform data via documented hooks
**Not allowed without BUSL-1.1 derivative work compliance:**
- Runtime patching of Stella Ops binaries
- Monkey-patching internal classes or methods
- Replacing core components at runtime
The key distinction is whether you're using **documented public APIs** (allowed) vs.
**undocumented internal behavior** (derivative work).
---
## Commercial Considerations
### Q10: Can my plugin be used with Stella Ops commercial/SaaS offerings?
**A:** Yes. Plugins designed for the Community Plugin Grant are compatible with commercial
Stella Ops deployments. Commercial customers may use community plugins subject to their
commercial license terms.
### Q11: Do I need Licensor approval to publish a plugin?
**A:** No. You do not need approval from stella-ops.org to:
- Develop plugins
- Publish plugins (open source or commercial)
- List plugins in third-party marketplaces
However, stella-ops.org may maintain an official plugin registry with quality/security
standards for listed plugins.
### Q12: Can MSPs provide plugins to their managed customers?
**A:** Yes, with these considerations:
1. **Plugin distribution:** MSPs can freely distribute plugins to customers
2. **Stella Ops licensing:** Each customer deployment must comply with BUSL-1.1:
- Within free tier limits; OR
- Covered by MSP's commercial license; OR
- Customer has their own commercial license
See `docs/legal/SAAS_MSP_GUIDANCE.md` for detailed MSP scenarios.
---
## Edge Cases
### Q13: Does the Community Plugin Grant apply to unofficial API integrations?
**A:** The grant specifically covers plugins using "documented public plugin APIs or
integration points." For unofficial or undocumented APIs:
- Using undocumented APIs is at your own risk (they may change without notice)
- The Community Plugin Grant still applies if you're not modifying source code
- Relying on internal implementation details may create a derivative work
**Recommendation:** Use documented APIs for stable, supported integration.
### Q14: Can I fork Stella Ops and call it something else?
**A:** Forking is allowed under BUSL-1.1, but:
1. **BUSL-1.1 applies to the fork** - Production use requires compliance with the
Additional Use Grant or a commercial license
2. **Attribution required** - You must preserve LICENSE, NOTICE, and copyright notices
3. **No trademark use** - You may not use Stella Ops trademarks for your fork
4. **Change Date applies** - After the Change Date (2030-01-20), the fork converts to
Apache-2.0
### Q15: What if my plugin becomes popular and used beyond free tier limits?
**A:** Success is good! If your plugin enables usage beyond free tier limits:
1. **Users are responsible for licensing** - Not you as the plugin developer
2. **Consider partnership** - Contact stella-ops.org about potential partnership or
revenue sharing arrangements
3. **Document clearly** - Ensure your plugin documentation explains licensing requirements
### Q16: Can I host a free scanning service for the community using my plugin?
**A:** The BUSL-1.1 restriction specifically targets "public multi-tenant **paid** hosting."
Non-commercial, free-of-charge hosting for community benefit may be eligible for the
Community Program.
**Potentially eligible:**
- Free scanning for open source projects
- Academic/educational free access
- Non-profit services for other non-profits
**Not eligible (requires commercial license):**
- "Free tier" that upsells to paid services
- Free scanning bundled with paid consulting
- Any scenario where the free service drives commercial revenue
**Process:** Apply to the Community Program at community@stella-ops.org. Approval is
not automatic and is evaluated based on genuine community benefit.
See `docs/legal/SAAS_MSP_GUIDANCE.md` Section 4.3 for detailed guidance.
---
## Getting Help
**Technical questions about plugin development:**
- Documentation: `docs/plugins/`
- Community forum: https://community.stella-ops.org
**Licensing questions:**
- Email: legal@stella-ops.org
- FAQ: This document and `docs/legal/LEGAL_FAQ_QUOTA.md`
**Commercial licensing:**
- Email: sales@stella-ops.org
- Website: https://stella-ops.org/pricing
---
## See Also
- `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Full legal terms
- `docs/legal/LEGAL_FAQ_QUOTA.md` - Quota and free tier FAQ
- `docs/legal/SAAS_MSP_GUIDANCE.md` - MSP and SaaS guidance
- `docs/legal/LICENSE-COMPATIBILITY.md` - License compatibility for dependencies
---
*Document maintained by: Legal + Developer Relations*
*Last review: 2026-01-25*

11
docs/legal/README.md
View File

@@ -6,10 +6,21 @@ authoritative artifacts.
## Canonical documents
### Core License Files (Repository Root)
- Project license (BUSL-1.1 + Additional Use Grant): `LICENSE`
- Community Plugin Grant Addendum: `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md`
- Third-party notices: `NOTICE.md`
### Compliance & Compatibility
- Full dependency inventory: `docs/legal/THIRD-PARTY-DEPENDENCIES.md`
- License compatibility guidance: `docs/legal/LICENSE-COMPATIBILITY.md`
- Additional Use Grant summary and quotas: `docs/legal/LEGAL_FAQ_QUOTA.md`
- Regulator-grade threat and evidence model: `docs/legal/LEGAL_COMPLIANCE.md`
- Cryptography compliance notes: `docs/legal/crypto-compliance-review.md`
### Plugin & Distribution Guidance
- Plugin developer FAQ: `docs/legal/PLUGIN_DEVELOPER_FAQ.md`
- SaaS and MSP licensing guidance: `docs/legal/SAAS_MSP_GUIDANCE.md`
- Enforcement and telemetry policy: `docs/legal/ENFORCEMENT_TELEMETRY_POLICY.md`
- Compliance attestation process: `docs/legal/COMPLIANCE_ATTESTATION_FORM.md`
- Self-attestation form template: `docs/legal/templates/self-attestation-form.md`

356
docs/legal/SAAS_MSP_GUIDANCE.md Normal file
View File

@@ -0,0 +1,356 @@
# SaaS and MSP Licensing Guidance
**Document Version:** 1.0.0
**Last Updated:** 2026-01-25
This document provides detailed guidance on Stella Ops licensing for SaaS providers,
Managed Service Providers (MSPs), and hosting scenarios. For the full legal terms,
see `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md`.
---
## Overview
The Stella Ops BUSL-1.1 license with Community Plugin Grant restricts providing Stella
Ops as a commercial hosted service to third parties. This document clarifies what is
and isn't permitted under different hosting scenarios.
**Key Principle:** The restriction targets commercial offerings that compete with
Stella Ops' own hosted services, not legitimate internal use or isolated customer
deployments.
---
## 1. Prohibited: Multi-Tenant SaaS Offerings
The following are **NOT permitted** without a commercial license:
### 1.1 Public SaaS Platform
**Prohibited:** Operating a multi-tenant SaaS platform that provides Stella Ops
functionality to paying customers.
**Example (prohibited):**
```
AcmeScan.io
├── Customer A (paying subscriber)
├── Customer B (paying subscriber)
├── Customer C (paying subscriber)
└── Shared Stella Ops infrastructure
```
**Why prohibited:** This directly competes with Stella Ops' commercial SaaS offering.
### 1.2 White-Label Hosting
**Prohibited:** Rebranding Stella Ops and selling it as your own hosted product.
**Example (prohibited):**
```
"PowerScan Pro" (white-labeled Stella Ops)
├── Sold as monthly subscription
├── Marketed as proprietary technology
└── Runs on shared infrastructure
```
**Why prohibited:** This is commercial redistribution as a competing service.
### 1.3 Embedded SaaS Features
**Prohibited:** Embedding Stella Ops scanning as a feature in your commercial SaaS product.
**Example (prohibited):**
```
AcmeDevPlatform.com (commercial SaaS)
├── Code repository feature
├── CI/CD pipeline feature
├── "Security Scanning" feature <- Powered by embedded Stella Ops
└── Charged as part of subscription
```
**Why prohibited:** Stella Ops functionality is being monetized as part of a third-party
service offering.
---
## 2. Permitted: Internal Use
The following **ARE permitted** under the Community Plugin Grant:
### 2.1 Internal Enterprise Deployment
**Permitted:** Deploying Stella Ops for your organization's internal use.
**Example (permitted):**
```
Acme Corp Internal
├── Development team scans
├── Security team analysis
├── Compliance reporting
└── Accessed only by Acme employees/contractors
```
**Why permitted:** Internal use for the licensee's own business operations.
### 2.2 Internal Platform Team
**Permitted:** A platform/DevOps team providing Stella Ops to internal development teams.
**Example (permitted):**
```
Acme Corp Platform Team
├── Hosts Stella Ops on internal infrastructure
├── Provides scanning service to:
│ ├── Team Alpha (internal)
│ ├── Team Beta (internal)
│ └── Team Gamma (internal)
└── All users are Acme employees
```
**Why permitted:** All users are within the same organization.
### 2.3 Subsidiary/Affiliate Use
**Permitted:** Parent company hosting for subsidiaries under common control.
**Example (permitted):**
```
Acme Holdings
├── Acme Corp (subsidiary) - uses hosted Stella Ops
├── Acme Europe (subsidiary) - uses hosted Stella Ops
└── Acme Asia (subsidiary) - uses hosted Stella Ops
```
**Why permitted:** Affiliates under common control are treated as one organization.
---
## 3. Permitted with Conditions: MSP Single-Tenant Hosting
Managed Service Providers may host Stella Ops for customers under specific conditions.
### 3.1 Single-Tenant Isolated Deployments
**Permitted (with commercial license):** MSP hosting separate Stella Ops instances for
each customer.
**Example (permitted with commercial license):**
```
AcmeMSP Infrastructure
├── Customer A Instance (isolated)
│ ├── Dedicated Stella Ops deployment
│ ├── Customer A data only
│ └── Covered by AcmeMSP commercial license
├── Customer B Instance (isolated)
│ ├── Dedicated Stella Ops deployment
│ ├── Customer B data only
│ └── Covered by AcmeMSP commercial license
└── No shared infrastructure between customers
```
**Requirements:**
- Each instance must be fully isolated
- MSP must have commercial license covering all instances
- Or each customer must have their own commercial license
### 3.2 Customer-Licensed Deployments
**Permitted:** MSP managing infrastructure where customer holds the license.
**Example (permitted):**
```
AcmeMSP (infrastructure only)
├── Customer A Infrastructure
│ ├── Customer A's Stella Ops license
│ ├── MSP manages infrastructure
│ └── Customer controls license compliance
└── Customer B Infrastructure
├── Customer B's Stella Ops license
└── MSP manages infrastructure
```
**Why permitted:** The customer (not MSP) is the licensee; MSP provides only
infrastructure management.
---
## 4. Gray Areas: Guidance for Common Scenarios
### 4.1 Consulting with Temporary Access
**Scenario:** Security consultant deploys Stella Ops at client site for an engagement.
**Analysis:**
- If consultant's license: Consultant needs commercial license for third-party use
- If client's license: Client uses their free tier or commercial license
**Recommendation:** Client should obtain their own license; consultant assists with
deployment.
### 4.2 Training/Demo Environments
**Scenario:** Providing training environments with Stella Ops to external trainees.
**Analysis:**
- Temporary, non-production training: Generally permitted under non-production use
- Ongoing access for trainees: May require commercial license depending on duration
**Recommendation:** Contact legal@stella-ops.org for training program licensing.
### 4.3 Non-Commercial Community Hosting
**Scenario:** Hosting Stella Ops scanning as a free service for community benefit.
The BUSL-1.1 restriction specifically targets "public multi-tenant **paid** hosting."
Non-commercial hosting for community benefit may be eligible for the Community Program.
**Examples of potentially eligible scenarios:**
- Free scanning services for open source projects
- Academic/educational institutions providing free access to students
- Non-profit organizations providing free services to other non-profits
- Community-run instances for local developer communities
**Requirements for Community Program consideration:**
1. Service must be genuinely free (no fees, subscriptions, or required purchases)
2. Service must not be a loss-leader for commercial offerings
3. Service must not compete directly with Licensor's commercial offerings
4. Organization must apply and be approved by Licensor
**Analysis:**
- Non-commercial, community benefit: Contact community@stella-ops.org for evaluation
- If charging any fees: Requires commercial license (not eligible for Community Program)
- If bundled with paid services: Requires commercial license
**Recommendation:** Apply for Community Program at https://stella-ops.org/community
**Important:** Community Program approval is not automatic. Licensor reserves the right
to evaluate each application based on community benefit, competitive impact, and
alignment with program goals.
### 4.4 Reseller/Channel Partner
**Scenario:** Reselling Stella Ops commercial licenses with implementation services.
**Analysis:**
- Reselling licenses: Requires authorized reseller agreement
- Implementation services: Permitted under customer's license
**Recommendation:** Contact sales@stella-ops.org for reseller program details.
---
## 5. Compliance Checklist
### For Internal Deployments
- [ ] All users are employees, contractors, or affiliates of the licensee
- [ ] Deployment is within free tier limits (3 environments, 999 scans/day) OR
commercial license obtained
- [ ] LICENSE and NOTICE files preserved
- [ ] No third-party access to functionality
### For MSP Deployments
- [ ] Each customer instance is fully isolated
- [ ] Either MSP or customer holds valid license for each instance
- [ ] No shared multi-tenant infrastructure
- [ ] Clear documentation of license responsibility
- [ ] Annual compliance attestation completed
### For Any Hosted Scenario
- [ ] Not marketed as competing SaaS product
- [ ] Not white-labeled or rebranded
- [ ] Not embedded in commercial SaaS offering
- [ ] Attribution requirements met
---
## 6. Decision Tree
```
Is Stella Ops functionality being provided to third parties?
├─ NO → Internal use permitted (within free tier or with commercial license)
└─ YES → Is it a commercial offering (paid or part of paid service)?
├─ NO (genuinely free, community benefit)
│ │
│ ├─ Apply for Community Program (community@stella-ops.org)
│ │
│ └─ If approved → Permitted under Community Program terms
│ If not approved → Commercial license required
└─ YES (paid, or free-as-loss-leader for paid services)
└─ Is each customer fully isolated (single-tenant)?
├─ NO → Commercial SaaS license required
│ (contact sales@stella-ops.org)
└─ YES → MSP single-tenant model
├─ MSP holds commercial license covering all instances
│ → Permitted
└─ Each customer holds their own license
→ Permitted (MSP provides infrastructure only)
```
**Key distinction:** The restriction targets "public multi-tenant **paid** hosting."
Non-commercial hosting for genuine community benefit may qualify for the Community Program,
but requires explicit approval from Licensor.
---
## 7. Examples of Compliance Violations
The following are examples of arrangements that would violate the license:
1. **"Vulnerability Scanning as a Service"** - Public signup for scanning services
powered by Stella Ops without commercial license
2. **DevSecOps Platform Bundle** - Including Stella Ops scanning in a paid platform
subscription without commercial license
3. **Shared MSP Instance** - Multiple MSP customers sharing a single Stella Ops
deployment
4. **"Free Tier Arbitrage"** - Running multiple free-tier installations to serve
third-party customers
5. **Competitive Forking** - Forking Stella Ops and offering it as a competing
hosted service
---
## 8. Getting Commercial License
If your use case requires a commercial license:
**Contact:**
- Email: sales@stella-ops.org
- Website: https://stella-ops.org/pricing
**License options include:**
- Per-environment licensing
- Unlimited scan licensing
- MSP/reseller programs
- OEM/embedded licensing
**Volume discounts** available for MSPs and enterprise deployments.
---
## See Also
- `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Full legal terms
- `docs/legal/LEGAL_FAQ_QUOTA.md` - Quota and free tier FAQ
- `docs/legal/PLUGIN_DEVELOPER_FAQ.md` - Plugin developer questions
- `docs/legal/ENFORCEMENT_TELEMETRY_POLICY.md` - Audit and compliance verification
---
*Document maintained by: Legal + Sales Operations*
*Last review: 2026-01-25*

188
docs/legal/templates/self-attestation-form.md Normal file
View File

@@ -0,0 +1,188 @@
# Stella Ops Compliance Self-Attestation Form
**Form Version:** 1.0.0
**Attestation Period:** [YEAR]
---
## Instructions
1. Complete all sections marked with `[ ]` or `___`
2. Replace placeholder text `[...]` with your information
3. Have an authorized representative sign
4. Submit to: compliance@stella-ops.org
5. Retain a copy for your records
---
## Section 1: Operator Information
| Field | Value |
|-------|-------|
| **Organization Legal Name** | [Full legal name of organization] |
| **Primary Contact Name** | [Name of compliance contact] |
| **Primary Contact Email** | [Email address] |
| **Primary Contact Phone** | [Phone number - optional] |
| **Mailing Address** | [Business address] |
| **Installation ID** | [From /admin/compliance dashboard, or "Not Available"] |
| **Attestation Date** | [YYYY-MM-DD] |
---
## Section 2: Usage Declaration
### 2.1 Environment Count
Current number of active Environments in this installation:
- [ ] 1 Environment
- [ ] 2 Environments
- [ ] 3 Environments
- [ ] More than 3 Environments
If more than 3 Environments, commercial license reference: _______________
### 2.2 Scan Volume
Peak daily scan volume (new hash scans) in the past 12 months:
- [ ] Under 100 scans/day
- [ ] 100 - 499 scans/day
- [ ] 500 - 999 scans/day
- [ ] Over 999 scans/day
If over 999 scans/day, commercial license reference: _______________
### 2.3 Usage Metrics Source
How were the above metrics determined?
- [ ] Stella Ops admin dashboard
- [ ] API metrics endpoint
- [ ] Log analysis
- [ ] Estimate based on operational knowledge
- [ ] Other: _______________
---
## Section 3: Distribution Declaration
### 3.1 Redistribution Status
- [ ] We do NOT redistribute Stella Ops or Stella Ops Plugins
- [ ] We redistribute Stella Ops (complete Section 3.2)
- [ ] We redistribute Plugins only (complete Section 3.3)
### 3.2 Stella Ops Redistribution (if applicable)
- [ ] LICENSE file included in all distributions
- [ ] NOTICE.md file included in all distributions
- [ ] LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md included
- [ ] Modified files marked with change notices
- [ ] Not offered as competing managed service
Distribution channels: _______________
### 3.3 Plugin Redistribution (if applicable)
- [ ] Plugin does not include Stella Ops source code
- [ ] Attribution to Stella Ops included
- [ ] Plugin documentation references Stella Ops licensing
Plugin name(s): _______________
---
## Section 4: SaaS / MSP Declaration
### 4.1 Deployment Model
Select ONE:
- [ ] **Internal Use Only**
- Stella Ops accessed only by our employees, contractors, and affiliates
- No third-party access to Stella Ops functionality
- [ ] **MSP Single-Tenant Hosting**
- We host isolated Stella Ops instances for customers
- Complete Section 4.2
- [ ] **Commercial SaaS License**
- We have a commercial license for SaaS/hosted use
- License reference: _______________
### 4.2 MSP Details (if applicable)
Number of customer instances hosted: _______________
License coverage:
- [ ] Our commercial license covers all customer instances
- [ ] Each customer has their own Stella Ops license
- [ ] Mixed (describe): _______________
Instance isolation:
- [ ] Each customer has dedicated infrastructure (compute, storage)
- [ ] No data sharing between customer instances
- [ ] Customers cannot access each other's data or results
---
## Section 5: Certification
I certify that:
1. [ ] The information in this attestation is accurate and complete to the best of
my knowledge
2. [ ] Our organization's use of Stella Ops complies with the Business Source
License 1.1 and the Community Plugin Grant Addendum
3. [ ] I am authorized to make this attestation on behalf of the organization
named above
4. [ ] I understand that knowingly providing false information may result in
termination of license rights
5. [ ] I will notify stella-ops.org within 30 days of any material changes to
the information provided
---
## Section 6: Signature
| Field | Value |
|-------|-------|
| **Printed Name** | ___________________________ |
| **Title/Role** | ___________________________ |
| **Signature** | ___________________________ |
| **Date** | ___________________________ |
---
## Section 7: Internal Use Only (stella-ops.org)
| Field | Value |
|-------|-------|
| Received Date | |
| Reviewed By | |
| Review Date | |
| Status | [ ] Accepted [ ] Clarification Needed [ ] Referred to Sales |
| Confirmation Sent | |
| Notes | |
---
## Submission
**Email completed form to:** compliance@stella-ops.org
**Subject line:** `Compliance Attestation - [Organization Name] - [Year]`
**Attachments (optional but recommended):**
- Screenshot of /admin/compliance dashboard
- Usage report export (if available)
---
*Form version 1.0.0 | Effective 2026-01-25*
*Questions? Contact legal@stella-ops.org*