stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6e687b523aa572c0850de61175d702ad3f7d9c24
git.stella-ops.org/docs-archived/product/advisories/25-Jan-2026 - Community Plugin Grant Addendum to BUSL-1.1.md

8.4 KiB
Raw Blame History

Additional Community Plugin Grant - StellaOps Addendum to BUSL-1.1

Archived: 2026-01-25 Status: Implemented Sprint: SPRINT_20260125_001_DOCS_community_plugin_grant_addendum

Original Advisory

Here's a ready-to-ship "Additional Use Grant" addendum you can attach to BUSL-1.1 to open a free community plugin tier while still blocking SaaS copycats.

Additional Community Plugin Grant - StellaOps Addendum to BUSL-1.1

  1. Definitions. For purposes of this Addendum: (a) "Plugin" means a separately packaged extension written to interface with the Licensed Work using documented public plugin APIs or integration points published by Licensor; (b) "Environment" means an instance of the Licensed Work under the control of a single legal entity (customer/organization) and deployed to a unique production orchestration boundary (example: a distinct on-prem cluster, a private cloud tenant, or a named cloud account); (c) "Scan" means one completed execution of the Licensed Work's vulnerability or artifact analysis pipeline that produces a report or SBOM/VEX output and is billed or metered as a single unit by Licensor's published metrics.

  2. Community Plugin Grant. Notwithstanding anything to the contrary in BUSL-1.1, Licensor hereby grants each Recipient a worldwide, non-exclusive, royalty-free license to: (i) use, run, and reproduce a Plugin in production solely for the Recipient's internal business operations in up to three (3) Environments; and (ii) perform up to nine hundred and ninety-nine (999) Scans per calendar day across all such Environments. This grant extends to modification and redistribution of the Plugin under the same terms, provided redistribution is not packaged with a commercial managed hosting offering in breach of Section 4 below.

  3. Distribution & Attribution. Recipients may distribute Plugin source or binaries under the same license terms as the Licensed Work (including this Addendum). Distributed copies must retain a conspicuous attribution to Licensor and include this Addendum verbatim. Redistribution that embeds or repackages Licensor's core runtime binaries into a commercial product that functions as a competing managed service requires a separate commercial license from Licensor.

  4. SaaS / Managed Offering Restriction. Recipients are not permitted to offer the Licensed Work or a Plugin (or a service that substantially replicates the Licensed Work's core features) as a commercial hosted service, SaaS, or managed/white-label hosting offering to third parties without a separate written commercial license from Licensor. This restriction applies whether the service is offered directly, via a reseller, or embedded into a larger multi-tenant managed platform. Limited exceptions: an organization may host the Licensed Work internally for its own customers (e.g., an MSP hosting distinct single-tenant instances per customer) only if each hosted instance is covered by the organization's commercial license or if the hosted instance remains fully isolated and used exclusively by the licensee's employees and affiliates; public multi-tenant paid hosting that provides the Licensed Work's functionality to unrelated third parties is prohibited under this Addendum absent commercial licensing.

  5. Enforcement & Telemetry. Licensor may reasonably audit or require self-reporting to verify compliance with the Environment and Scan limits; Licensor may provide an optional, privacy-respecting metering endpoint for voluntary telemetry; any audit shall be subject to standard confidentiality and data-protection safeguards.

  6. Term & Upgrade. This Addendum applies to releases of the Licensed Work that include it; Licensor may amend the numeric limits (Environments / Scans) by publishing a new Addendum version; such changes do not retroactively affect prior distributions.

  7. No waiver of other BUSL rights. Except as explicitly modified by this Addendum, all terms of BUSL-1.1 remain in full force and effect.

  8. Legal & Compliance Notice. This Addendum is intended as a narrow community grant to encourage plugin ecosystems while protecting Licensor's commercial SaaS market; it is not legal advice and should be reviewed by counsel prior to publication.

Why this fits BUSL-1.1 (and how it compares)

  • BUSL-1.1 explicitly allows "Additional Use Grants" to carve out limited production rights; your addendum uses that exact mechanism. (spdx.org)
  • The SaaS/managed-service limitation mirrors how other source-available models protect against hosted competitors (e.g., Confluent Community License "Excluded Purpose," Elastic ELv2 limits, SSPL's service operator obligations-different legal mechanics, same goal of restricting hosted competition). (Confluent)

Mini change log (what changed vs BUSL and why)

  • Added an explicit community plugin grant with 3 Environments / 999 Scans/day to allow bounded production usage without a commercial license. (Maps to BUSL's Additional Use Grant.) (spdx.org)
  • Clarified distribution channels for plugins and attribution retention; barred repackaging into competing managed services (a narrower prohibition akin to Confluent/Elastic patterns). (Confluent)
  • Made SaaS prohibition explicit, using a permission-based restriction (not SSPL-style copyleft requirements). (MongoDB)

EU competition & privacy flags (quick)

  • Competition: Numeric caps + SaaS carve-out can face scrutiny if you hold market power; get EU/EEA competition counsel to review positioning and reseller language. (Background on recent license shifts and scrutiny.) (DataCenterKnowledge)
  • Privacy/GDPR: Keep telemetry strictly opt-in, data-minimized, and backed by a DPA; avoid collecting customer content during audits. (General best-practice.) (Elastic)

Practical next steps

  1. Publish this as "Appendix A - Community Plugin Grant" in your repo next to BUSL-1.1; 2) add a short FAQ (what counts as a Plugin, how to count Environments/Scans, examples of a managed-service breach); 3) provide a simple self-attestation form and optional metering endpoint to help users stay inside the limits. (HashiCorp's BUSL pages/FAQ are a good model for clear interpretive guidance.) (HashiCorp | An IBM Company)

If you want, I can also tailor a 1-page FAQ and a compliance attestation template to drop into LICENSES/ and your website.

Implementation Summary

Documents Created

  • LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md - Main addendum (root)
  • docs/legal/PLUGIN_DEVELOPER_FAQ.md - Plugin developer FAQ
  • docs/legal/SAAS_MSP_GUIDANCE.md - SaaS/MSP guidance
  • docs/legal/ENFORCEMENT_TELEMETRY_POLICY.md - Enforcement policy
  • docs/legal/COMPLIANCE_ATTESTATION_FORM.md - Attestation process
  • docs/legal/templates/self-attestation-form.md - Fillable template

Documents Updated

  • LICENSE - Added Section 5 referencing addendum
  • NOTICE.md - Added plugin attribution section
  • docs/legal/README.md - Added all new document links
  • docs/legal/LEGAL_FAQ_QUOTA.md - Added cross-references
  • docs/legal/LICENSE-COMPATIBILITY.md - Added plugin distribution section

Key Decisions

  1. Created addendum as separate file (not embedded in LICENSE) for independent versioning
  2. Created comprehensive FAQ rather than minimal one
  3. Created templates directory for fillable forms

Deferred Items

  • CI workflow updates for addendum validation
  • Plugin development documentation (separate from legal docs)
  • Legal counsel review (external dependency)