The case below is inspired by a real file; the parties have been altered beyond recognition.
The Series A was on track. For technical due diligence, the investor’s advisor ran the codebase through a software composition analysis (SCA) tool. The report came back two days later: a GPLv3-licensed library sat inside the product’s core module — embedded in the source. The investor’s email was short: “We can’t proceed until this is resolved.”
The founders were baffled. The library was free, everyone used it, it had thousands of stars on GitHub. That was precisely the problem: open source doesn’t mean free of charge. It means licensed.
What Copyleft Means: You Pay With Your Code
Open source licenses fall into two broad families. Permissive licenses (MIT, Apache 2.0, BSD) say “take it, use it, give credit, I won’t ask questions” — embedding them in a commercial product is usually unproblematic. Copyleft licenses (GPLv2, GPLv3, AGPL) attach a condition: if you make this code part of a derivative work and distribute it, you must distribute the entire work under the same license — that is, with the source open.
It’s called “GPL contamination” for a reason: depending on how it’s linked, a single library can engulf the whole product. Translated into investor language: the company’s exclusivity over its most valuable asset — the source code — is legally contested.
“But We’re SaaS — We Don’t Distribute Anything”
A partly valid defense. Classic GPL obligations are triggered by distribution; if the software runs on your servers and users only see an interface, most readings find no distribution under GPLv2/v3. Two traps remain:
- AGPL was written precisely for that loophole: merely providing access to the software over a network triggers the source-disclosure obligation. MongoDB, Grafana and a growing list of popular tools live in this license family.
- A mobile app, an on-premise installation, an SDK, or any binary handed to a customer is distribution. The product that is pure SaaS today starts distributing tomorrow, the day an enterprise customer says “we’d like to run it on our own servers.”
LGPL and the Grey Zone
LGPL lets you use a library via dynamic linking without copyleft spreading; static embedding is contested territory. “Which form of linking creates a derivative work” is one of those rare questions where the engineers’ architecture decision and the lawyer’s license reading must sit at the same table.
What Happened in Our Case?
Three options reached the table: (1) open-source the product’s code — commercial suicide; (2) re-license the library commercially — once the rights holder sensed the situation, so did the price; (3) rewrite the module clean-room, by a team that had never seen the GPL code. The company chose door three: four months of delay, unplanned engineering cost, and a revised term sheet. The round closed — below the originally discussed valuation, and with heavy open-source representations and indemnities written into the closing documents.
The Turkish Law Dimension
An open source license is legally a license agreement; using the code in breach of its condition is both a breach of contract and an infringement of economic rights under the Turkish IP Code (FSEK). So the risk is not only “the investor didn’t like it”: the rights holder can claim copyright damages and demand the infringement cease. And if the code is sold abroad, remember that GPL disputes are actively litigated in the US and Germany.
Pre-Investment Open Source Hygiene: Five Steps
- Build the inventory: Which dependency, under which license, sits where in the product? A dependency you don’t know about is a risk you can’t manage.
- Write a policy: Which licenses are free to use (MIT, Apache), which need approval (LGPL), which are banned (AGPL; GPL in the core product) — a one-page table is enough.
- Put scanning in CI: Run the SCA scan in your own pipeline before the investor’s advisor does; catch the problematic dependency at the pull-request stage.
- Track copied code: Snippets from Stack Overflow and LLM output can carry licenses too; put it in the engineering handbook.
- Prepare for the rep: Before signing the open-source representation in your investment documents, know that what you are representing is true. A false rep comes back to you through the indemnity clause.
To scan your codebase before a round, set up a license policy, or remediate an existing GPL finding, get in touch. For the rest of the diligence battlefield, see Deals That Die in Due Diligence.
