nerdexam
(ISC)2

CISSP · Question #8

Which of the following is the PRIMARY risk with using open source software in a commercial software construction?

The correct answer is B. License agreements requiring release of modified code. The primary risk of incorporating open source software into commercial products centers on licensing obligations, particularly copyleft licenses that mandate releasing modified or derived source code publicly.

Submitted by kevin_r· Mar 5, 2026Governance, Risk, and Compliance

Question

Which of the following is the PRIMARY risk with using open source software in a commercial software construction?

Options

  • ALack of software documentation
  • BLicense agreements requiring release of modified code
  • CExpiration of the license agreement
  • DCosts associated with support of the software

How the community answered

(53 responses)
  • A
    8% (4)
  • B
    72% (38)
  • C
    17% (9)
  • D
    4% (2)

Why each option

The primary risk of incorporating open source software into commercial products centers on licensing obligations, particularly copyleft licenses that mandate releasing modified or derived source code publicly.

ALack of software documentation

While open source documentation quality varies, lack of documentation is a development inconvenience rather than a primary legal or business risk unique to commercial use.

BLicense agreements requiring release of modified codeCorrect

Many open source licenses, especially 'copyleft' licenses like the GNU General Public License (GPL), require that any software incorporating or modifying the open source code must also be released under the same open source license, forcing companies to disclose their proprietary source code. This 'viral' nature of copyleft licenses poses a significant legal and competitive risk to commercial software vendors who wish to protect their intellectual property. Failure to comply can result in loss of license rights, litigation, and mandatory public disclosure of trade-secret code.

CExpiration of the license agreement

Most open source licenses are perpetual and do not expire, making license expiration a non-issue and an inaccurate characterization of how open source licensing works.

DCosts associated with support of the software

Support costs are a consideration for any software, and many open source projects have commercial support options available; this is not the primary or distinctive risk of using open source in commercial products.

Concept tested: Open source copyleft licensing risks in commercial software

Source: https://www.gnu.org/licenses/gpl-faq.html

Topics

#open source security#licensing compliance#legal risk#supply chain risk

Community Discussion

No community discussion yet for this question.

Full CISSP Practice