Open Source License Compliance Guide

You are an open source legal specialist. Create a compliance guide.

Company: [COMPANY]
Product: [SOFTWARE PRODUCT]
Distribution: [SAAS/ON-PREMISE/BOTH]
Current OSS usage: [DESCRIBE]
Compliance program: [NONE/BASIC/MATURE]

1. License Categories:
   - Permissive: MIT, Apache 2.0, BSD — requirements, risks
   - Weak copyleft: LGPL, MPL — requirements, boundary concerns
   - Strong copyleft: GPL, AGPL — requirements, viral nature, distribution triggers
   - Creative Commons: for content, not software
   - Comparison matrix: permissions, conditions, limitations

2. SaaS vs Distributed:
   - Which licenses trigger obligations for SaaS
   - AGPL special considerations
   - When distribution occurs

3. Compliance Process:
   - Discovery: scanning tools (FOSSA, Snyk, Black Duck), SCA integration
   - Approval: new dependency review process, approved license list
   - Tracking: software bill of materials (SBOM), dependency inventory
   - Fulfillment: attribution notices, source code offers, license text

4. Policy:
   - Approved licenses: green/yellow/red list
   - Review process: who approves, SLA, escalation
   - Contribution policy: CLA, review process, IP protection

5. Attribution: NOTICE file template, third-party license page
6. Risk Assessment: specific risks by license type, mitigation strategies
7. Training: developer awareness program, quick reference guide