How to make money from open source software

Ditching the GPL may be the key to running a successful commercial open source software business.

Open source illustration

Last month we looked at the argument that the open source business model is flawed because selling maintenance and support subscriptions doesn't provide companies with enough revenue to  differentiate their products from the underlying open source software or to compete with the sales and marketing efforts of proprietary software companies. The argument was advanced by Peter Levine, a venture capitalist at Andreessen Horowitz.

But Levine's argument only holds – if it holds at all – for companies commercializing open source software using GPL-type licenses.

That's the counter argument put forward by Daniel Raskin, a former Sun Microsystems executive who is now vice president of strategy and marketing at San Francisco-based open source identity and access management software company ForgeRock.

"Peter Levine talked about conventional open source business models using the GPL license where you can't monetize software so you struggle to raise money to invest in innovation," Raskin says. But he points out that companies can use other open source licenses which do allow the monetization of software.

Not all open source licenses are created equal

For example, the source code to ForgeRock's products is licensed under the Common Distribution and Development License (CDDL), a FSF-approved free software license produced by Sun Microsystems, based on the Mozilla Public License (MPL). What's interesting about this license is that software executables compiled from this source code can be offered under a different license: in ForgeRock's case, a commercial license. There is a requirement that any executable must be supplied with the source code.

[Related: Why the open source business model is a failure]

ForgeRock offers annual major releases of its software which are made available to developers under a commercial license free of charge for use in non-production environments, along with the CDDL’ed source code. Anyone is entitled to take the source code and compile it themselves and use it in a production environment, although they would have to develop their own bug fixes and security patches themselves.

Subscription customers are allowed to use the software in production environments, and get minor and maintenance releases which include bug fixes and security patches, as well as support and legal indemnification. Only they get the source code for these minor and maintenance releases.

"So we give one release a year away, but for every other release you have to be a paying customer – so the subscription monetizes the software itself," says Raskin.

And that, he says, is the key point: the GPL business model makes open source software hard to monetize, but other models, such as ForgeRock's – based on the CDDL for the source code and a commercial license for the executable – do allow for monetization of open source software. The source code for interim releases is "open" – but only to those who pay for a commercial license to the software.

It’s hard to compete with free

The extent to which the software can be monetized – how much revenue can be generated from it – depends on what the software achieves and what alternatives solutions are available, he believes. But here's the thing: the traditional GPL approach means that potential customers for open source software can choose to download a "community" version of the software and use it for free, or pay a subscription for what's essentially the same underlying software – albeit with the promise of some quality, security and sometimes feature enhancements, plus support.

Since the subscription-based product is forced to compete with a free alternative from which it is derived, that reduces the potential revenue that the subscription product can generate. (Levine's made this point by saying that many companies are unwilling to pay the "Red Hat tax" when they can get Fedora for nothing.)

But in ForgeRock's case this doesn't apply as there is no "community" version of its software: if you want to use the company's identity management solution you have pay for a license. Then you can access the source code, and modify it if you want.

In fact that's not quite true, because each annual major release is available free, along with the source code which anyone can compile and run. But this release isn't maintained by any community (in part because the software is too specialized to attract one) so it would be rash to put the code into production.

There's a potential problem with ForgeRock's approach: One of the perceived strengths of the traditional free and open source software development model (not the open source business model) is that by granting everyone access to the source code, anyone can contribute to the project, improve it or spot bugs, anyone can modify the software to meet their needs, and everyone can benefit from any modifications.

But that's not what is happening with ForgeRock's products. Only paying customers (of which there are about 500 around the world) have access to the source code for the minor and maintenance releases, and as a result, only a small amount of the code – perhaps 10 percent – originates from contributors outside the company.

[Related: 7 reasons not to use open source software]

So although ForgeRock may have a sustainable business model, there's a question mark around whether this is really still open source software that captures the benefits of the free open source development model.

Raskin maintains that it does offer most of them: transparency into what the software actually does, the insurance of having the source code should ForgeRock suddenly cease to exist, the ability to troubleshoot collaboratively with the vendor, plus the ability to customize the software from the underlying source code.

Providing a free, not-for-production version of the product, along with its source code, also enables companies to evaluate the software easily, although this is not unique to open source software. None the less, Raskin maintains that for the first three years of the company's five year history it had more sales leads than it could handle simply because organizations were trying out the software and examining the source code. "In that respect, open source can be a very valuable sales pipeline,” he says.

The remaining question is how profitable ForgeRock's open source business model really is compared to others in the identity software space like Oracle, CA and IBM. The company doesn't reveal this type of financial information, so it's a question that's hard to answer.

But, Raskin is convinced, ForgeRock's approach is an open source business model that allows it to thrive in a way that isn't possible using the traditional GPL-based business model. "You do get hardline open source people who maintain that everything should be 100 percent free, but if that only results in commodity software, then that's the wrong model,” he concludes.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Get your IT project the recognition it deserves.
Submit your CIO 100 Award application today!