Can I legally use open-source code in my commercial product?

By SuLe · Updated 17 June 2026

Yes — commercial products use open-source code all the time — but only if you comply with each dependency's licence, because open-source code is copyrighted and licensed, not free of obligations. Permissive licences like MIT are safe defaults; strong copyleft licences like GPL, and especially AGPL, can force you to release your own source code.

Get expert legal advice before you sign.

Book a free 20-minute call

Key facts

  • Open-source code is copyrighted and licensed; using it in breach of its licence is copyright infringement.
  • Code with no licence at all is all-rights-reserved — you cannot safely use it.
  • MIT and BSD let you use, modify and sell freely if you keep the copyright and licence notice; Apache-2.0 adds a patent licence and requires stating your changes.
  • Distributing software containing GPL code means the whole derivative work must be offered under the GPL with source; AGPL extends that obligation to network (SaaS) use.
  • VCs run software-composition-analysis scans in due diligence at Series A and acquisition, so keep a dependency inventory with licences from day one.

Is open-source code actually free to use?

Free as in liberty, not free of obligations. Open-source code is copyrighted work that its author has licensed on specific terms, and using it outside those terms is copyright infringement just like copying any other protected work.

The most common trap is code with no licence attached at all. No licence means all rights reserved — you have no permission to use it, so a repository without a clear licence is not safe to build on, however public it looks.

The Open Source Initiative's licence list is the reference point for which licences are recognised and what each one requires.


Which licences are safe for a commercial product?

Permissive licences are the safest defaults. MIT and BSD let you use, modify and sell the code freely, and your main obligation is simply to keep the original copyright and licence notice in your distribution.

Apache-2.0 is also permissive and adds two useful things: an express patent licence from contributors, and a requirement that you state the changes you have made. For a commercial product, permissive licences give you the most freedom with the least risk.

Keeping to a permissive allowlist for new dependencies is a simple way to stay out of trouble, which is why many teams gate dependencies this way. This pairs with MIT vs Apache vs GPL — what the licences mean for startups.


When does copyleft force me to open my own code?

Copyleft licences are where commercial products get caught. Under GPLv2 and GPLv3, if you distribute software that contains GPL code, the whole derivative work must be offered under the GPL, with source code made available.

Crucially, pure server-side use is not "distribution", so a classic SaaS product that never ships the software to users may avoid the GPL trigger. LGPL is gentler still: it permits dynamic linking without infecting your own code.

The exception that bites startups is AGPL. It closes the SaaS gap by treating network interaction as triggering the source-code obligation — so if users interact with AGPL-covered software over a network, you can be required to release your source. That makes AGPL the classic SaaS red flag.


How do investors treat our open-source usage?

Seriously. VCs run software-composition-analysis scans as part of due diligence at Series A and on acquisition, so your dependency tree gets read by someone whose job is to find licence problems.

A single AGPL or GPL dependency sitting in the wrong place can stall a deal while you rip it out and re-engineer around it — expensive and stressful under a closing deadline. The fix is cheap if you start early: keep a dependency inventory with licences from day one.

Teams commonly automate this by gating dependencies against a licence allowlist — MIT, BSD and Apache in; AGPL flagged for review — using scanners in their CI pipeline.

Licence familyExamplesCommercial-product effect
PermissiveMIT, BSDUse, modify, sell freely; keep the copyright/licence notice
Permissive + patentApache-2.0As above, plus express patent licence; state your changes
Weak copyleftLGPLDynamic linking allowed without opening your own code
Strong copyleftGPLv2, GPLv3Distributing a derivative means releasing the whole under GPL with source
Network copyleftAGPLNetwork/SaaS use triggers the source obligation — SaaS red flag
No licenceAll rights reserved; not safe to use

Worked example

Ben's fintech startup ships a self-hosted reconciliation tool to banks, so it distributes software rather than running pure SaaS. Its engineers pull in a fast parsing library to save time before a launch deadline.

During Series A due diligence, the VC's software-composition-analysis scan flags that the library is GPLv3. Because Ben distributes the product, linking that library would force the whole tool to be offered under the GPL with source — unacceptable for a commercial licence. The team spends two weeks and roughly £6,000 of engineering time replacing it with an MIT-licensed alternative and adopts a CI licence allowlist so it never happens again. The round closes on schedule.


Where founders go wrong

  • Using code with no licence

    — no licence means all rights reserved; a public repo is not a permission slip.
  • Assuming SaaS immunises you from copyleft

    — GPL may not trigger server-side, but AGPL treats network use as triggering the source obligation.
  • Dropping the copyright notice

    — even permissive MIT and BSD require you to keep the original notice.
  • Leaving the audit to Series A

    — a bad dependency found under deal pressure is far costlier than one caught in CI on day one.

Related questions

Is open-source code free to use however I like?

No. Open-source code is copyrighted and licensed, not free of obligations. Using it outside the terms of its licence is copyright infringement, and code with no licence at all is all-rights-reserved — you cannot safely use it in your product.

Which open-source licences are safe for a commercial product?

Permissive licences are the safest defaults: MIT and BSD let you use, modify and sell freely as long as you keep the copyright and licence notice, and Apache-2.0 adds an express patent licence but requires you to state your changes. [More: MIT vs Apache vs GPL — what do the licences mean for startups?]

Will GPL code force me to open-source my product?

If you distribute software containing GPL code, the whole derivative work must be offered under the GPL with source. Pure server-side use is not distribution, so a SaaS product may avoid it — but AGPL closes that gap and can trigger the obligation.

Why is AGPL treated as a red flag for SaaS?

AGPL extends copyleft to network use: if users interact with your software over a network, the source-code obligation is triggered even though you never distribute the software. For a SaaS startup that can mean having to publish your source, so AGPL dependencies get flagged.

Do investors check our open-source licences?

Yes. VCs run software-composition-analysis scans in due diligence at Series A and on acquisition. A single copyleft dependency in the wrong place can hold up a deal, which is why keeping a dependency inventory with licences from day one pays off. [More: Who owns copyright in software in the UK?]


Open-source obligations are copyright obligations, and the difference between MIT and AGPL can be the difference between a clean Series A and an emergency re-engineering job. A SuLe solicitor can review your dependency inventory and licence posture before investors do. Book a free consultation about your product's legals and get a regulated startup lawyer to check your open-source footprint.

Keep reading: MIT vs Apache vs GPL — what do the licences mean for startups? · Who owns AI-generated code or content? · Is web scraping legal in the UK? · Who owns copyright in software in the UK? · Who owns the code if an agency built my MVP? · What IP protection does an early-stage startup actually need?

Primary sources: Open Source Initiative — licences

AI-generated content. General information, not legal advice.