Building a business on open source

OSS-core (Sentry, Posthog, Mattermost) — the core is open source under a permissive (MIT/Apache) or copyleft (AGPL) licence. The commercial company offers a hosted version of the same code, plus enterprise-only features (SSO, audit logs, dedicated support, SLAs). The split runs through the codebase, with proprietary modules in a separate licence.

Hosted-OSS / SaaS-on-OSS (Vercel for Next.js, Hashicorp Cloud) — the core is open source under a permissive licence. The commercial company runs the canonical hosted version. Customers can self-host but most pay for the hosted experience. Risk: clouds (AWS, GCP) launching competing hosted versions.

OSS-adjacent (Stripe, Tailwind) — the framework / library is open source; the business is a separate product that benefits from the OSS's distribution. Tailwind sells UI components and admin templates; Tailwind itself is free.

The model dictates the licence, which dictates the entire trajectory:

• MIT / Apache 2.0 — maximum adoption, lowest moat (cloud forks legal)
• AGPL — protects against unauthorised hosting; tolerated by most enterprise, refused by some
• BSL (Business Source Licence) — paid for cloud hosting; converts to OSS after N years (HashiCorp, MariaDB pattern)
• SSPL — Mongo's response to cloud forks; controversial; treated as non-OSS by Debian/Fedora

Pick licensing the day you start, not on day 365 when you realise the model needs protection — relicensing breaks trust permanently.

OSS that grows depends on contributors. Contributors need:

• Clear contribution paths — labelled-good-first-issues, accepted PR templates, fast review turnaround
• Public recognition — contributors listed on the site, in the CHANGELOG, in release notes
• Decision transparency — RFCs, roadmaps, public discussions — not closed-door decisions that surprise the community
• Maintainer responsiveness — issues triaged within a week, PRs reviewed within two

What kills contributor energy:

• Maintainers who never merge — contributors stop contributing after 2-3 stalled PRs
• Surprise direction changes — "we're rewriting in Rust" without RFC
• Vendor decisions that contradict community needs — adding feature X because enterprise asked, when 90% of community wants feature Y

What about paid maintainers? Mature OSS projects (Linux Foundation–style) blend volunteers + paid maintainers from sponsoring companies. For a single-vendor project, paying the core maintainers is fine; just be transparent that they're employees, not independent voices.

Trap 1: monetising too late. A common pattern: launch OSS, build a community, hit a million users, only then start charging. By then the community expects everything to be free, the cloud is hosting your software for billions, and your monetisation feels predatory. Build the monetisation path on day one even if you don't switch it on until later.

Trap 2: monetisation that feels like extortion. Pulling features out of OSS and into the paid tier breaks trust. New paid features only — never remove what was free.

Trap 3: relicensing. Going from MIT/Apache to AGPL or BSL is sometimes necessary but always painful. You'll lose a portion of the community permanently. Plan licensing carefully on day one.

When OSS is the wrong call:

• Your differentiation is the implementation (not the interface). OSS exposes the implementation; competitors copy.
• Your customer doesn't care about OSS values (most consumer products, most B2C). OSS adds operational overhead without growth lift.
• You're optimising for a fast acquisition rather than a durable business. Acquirers discount OSS-core because of the licence and community complications.

OSS is leverage, not magic. Use it when distribution to developers / technical buyers is your bottleneck. Don't use it because Hacker News will applaud.