Open Source Is Free Until Someone Comes to Collect
Security Boulevard, Wednesday, June 3rd, 2026
Free open source defers rather than eliminates cost, and most organizations lack the governance to manage that liability.
Open source software exemplifies a pattern where 'free' is not the same as 'without obligation,' because components that cost nothing to acquire skip any acquisition review. She highlights a governance gap: adoption of the Open Source Program Office (OSPO) model sits at roughly 26%, meaning about 74% of organizations consuming open source at scale lack the governance architecture to manage it.
Unreviewed open source components don't stay free; they simply defer the invoice in the form of security, provenance, and compliance liabilities. Winter notes that regulatory requirements such as the EU Cyber Resilience Act do not exempt free open source software, making accountability, governance, and provenance tracking essential.