What are low-, medium-, and high-risk open source licenses?

Low risk: Permissive licenses

Permissive licenses generally do not have many limiting conditions. Rather, they usually require that you keep the copyright notice in place when you distribute your own software. This means you can use and change the open source software if you keep the copyright notices intact. MIT and Apache licenses, the two most popular licenses currently in use, are in this category. We rate permissive licenses as low-risk licenses.

Medium risk: Weak Copyleft licenses

Weak copyleft licenses usually require you to make any modifications to the source code available under the same terms of the given license. Some of these licenses explicitly define what a modification is. For instance, a license might cite copying unmodified open source code into proprietary code as a modification. To comply with the license obligations, you would have to release the source code (original, modified, and newly added). Popular open source licenses in this category include the Mozilla public license. We rate semi-permissive licenses as medium-risk licenses.

High risk: Reciprocal/Copyleft licenses

Some popular open source licenses, such as the GNU General Public License v2.0 or later and GNU Lesser General Public License v3.0 or later, are quite restrictive. Depending on how you integrate open source software with your proprietary software, you may face significant risk. In the worst-case scenario, you may be required to release your proprietary software under the same license—royalty-free. We rate restrictive licenses as high-risk licenses.

Unsurprisingly, given its #1 position, the MIT license was found in 92% of the open source audited for the 2025 OSSRA report. If your software contains open source—and according to the 2025 OSSRA report, 97% of commercial software does—you’ll likely find the MIT license in your software. As a permissive license that permits reuse within proprietary software, the MIT license has high compatibility and low risk with other software licenses.

On the other hand, Creative Commons license risk can vary depending on usage—one of the reasons the CC organization recommends using licenses specifically written for open source use rather than its licenses. While many developers do use CC licenses for documentation, some also inadvertently (usually by including a code snippet) or deliberately apply a CC license to their code, which can become a concern from a legal standpoint, especially during M&A transactions.