Concepts•Jun 2026•4 min read

Closed Source vs Source Available

Closed source hides the code; source-available shows it but chains your hands with a license. Neither is open source. Here's which licensing posture actually protects you when the vendor turns hostile.

The short answer

Source Available over Closed Source for most cases. When the vendor inevitably gets acquired, jacks prices, or sunsets the product, source-available leaves you something to audit, patch, and fork into a private.

  • Pick Closed Source if buying a SaaS where you'll never touch the code anyway, the vendor is large and durable, and you want zero licensing-compliance overhead — closed source is one less thing to read
  • Pick Source Available if need to audit security, self-host, patch around vendor neglect, or survive an acquisition. Source-available gives you the code and a clear (if restrictive) license — leverage closed source never offers
  • Also consider: Neither is open source. If you need true freedom to fork, redistribute, and run commercially without permission, an OSI-approved license (MIT, Apache 2.0, AGPL) is the only real answer — both options here fall short of that bar.

— Nice Pick, opinionated tool recommendations

What They Actually Are

Closed source means the binary ships and the source stays in the vendor's vault — you get a product, not a codebase. Source-available means you can read, and often build, the full source, but a non-OSI license dictates what you're allowed to do with it: no competing commercial use, no redistribution, sometimes a time-delayed open release. People conflate source-available with open source constantly, and that confusion is exactly what BSL, SSPL, and the Elastic License were designed to exploit. The distinction that matters isn't 'can I see the code' — it's 'what am I legally permitted to do once I've seen it.' Closed source answers that with silence. Source-available answers with a paragraph of restrictions you must actually read. One gives you nothing and admits it; the other gives you visibility and fine print. Know which contract you're signing before the renewal invoice arrives and your options narrow to zero.

Security & Auditing

Closed source asks you to trust a SOC 2 PDF and a marketing page. You cannot verify the crypto, find the hardcoded credential, or confirm the telemetry isn't shipping your data somewhere ugly — you file a ticket and wait for a vendor whose incentive is to downplay. Source-available hands you the actual code. Your security team can grep for the backdoor, reproduce the build, and confirm what runs in your network. 'Many eyes make bugs shallow' is overstated — most source-available projects get audited by nobody — but the option exists, and for regulated industries that option is the difference between an approval and a hard no. Closed source forces you to outsource your threat model to a stranger's roadmap. Source-available lets you own it. When a CVE drops, one camp waits for a patch on the vendor's timeline; the other can read the diff, assess exposure, and mitigate today. That gap is not theoretical.

Lock-in & The Exit

This is where closed source quietly bills you for the rest of your life. No source means no self-host fallback, no fork, no in-house patch when the vendor deprecates the feature you built on. When they get acquired and 10x the price — and they will — your only move is to rip and replace, which is exactly why they price like they own you. Source-available isn't freedom, but it's a parachute: you can run it yourself, patch around abandonment, and keep a private fork alive long after the company pivots or dies. The BSL crowd (HashiCorp, Sentry, MongoDB's SSPL) restricts commercial competition, not your internal use — so for most buyers the restriction never bites. The escape hatch does. Closed source optimizes the vendor's leverage; source-available leaves a sliver of yours. In a multi-year dependency, that sliver is the whole game, and pretending otherwise is how procurement gets ambushed.

The Honest Caveat

Don't mistake source-available for a moral high ground — it's a commercial weapon dressed as transparency. BSL and SSPL exist to stop AWS from reselling the product, and that same license can forbid the SaaS you wanted to build on top of it. Read it before you architect. Closed source, for all its opacity, is at least honest about the deal: you rent, you don't own, the end. And a large, stable closed-source vendor (your cloud provider, your IdP) is often a safer bet than a venture-backed source-available startup that relicenses the moment growth stalls — which has happened repeatedly. The real failure mode isn't picking wrong; it's assuming source-available means open source and discovering at scale that you can't legally do the thing your whole roadmap depends on. If you need genuine freedom, neither wins — go OSI-licensed. If you must choose between these two, source-available's exit beats closed source's leash.

Quick Comparison

FactorClosed SourceSource Available
Code visibilityNone — binary only, vault-locked sourceFull read access, usually buildable
Security auditabilityTrust the vendor's attestations and ticketsAudit, grep, and reproduce the build yourself
Lock-in / exit optionsRip-and-replace only; vendor owns leverageSelf-host and private-fork parachute exists
Licensing simplicityJust a rental EULA, nothing to comply withRestrictive non-OSI license you must read closely
True open-source freedomNo redistribution, no fork, no freedomRestricted — not OSI, commercial limits apply

The Verdict

Use Closed Source if: You're buying a SaaS where you'll never touch the code anyway, the vendor is large and durable, and you want zero licensing-compliance overhead — closed source is one less thing to read.

Use Source Available if: You need to audit security, self-host, patch around vendor neglect, or survive an acquisition. Source-available gives you the code and a clear (if restrictive) license — leverage closed source never offers.

Consider: Neither is open source. If you need true freedom to fork, redistribute, and run commercially without permission, an OSI-approved license (MIT, Apache 2.0, AGPL) is the only real answer — both options here fall short of that bar.

Closed Source vs Source Available: FAQ

Is Closed Source or Source Available better?

Source Available is the Nice Pick. When the vendor inevitably gets acquired, jacks prices, or sunsets the product, source-available leaves you something to audit, patch, and fork into a private build. Closed source leaves you a support ticket and a prayer. Visibility plus a license you can read beats a sealed box you can't.

When should you use Closed Source?

You're buying a SaaS where you'll never touch the code anyway, the vendor is large and durable, and you want zero licensing-compliance overhead — closed source is one less thing to read.

When should you use Source Available?

You need to audit security, self-host, patch around vendor neglect, or survive an acquisition. Source-available gives you the code and a clear (if restrictive) license — leverage closed source never offers.

What's the main difference between Closed Source and Source Available?

Closed source hides the code; source-available shows it but chains your hands with a license. Neither is open source. Here's which licensing posture actually protects you when the vendor turns hostile.

How do Closed Source and Source Available compare on code visibility?

Closed Source: None — binary only, vault-locked source. Source Available: Full read access, usually buildable. Source Available wins here.

Are there alternatives to consider beyond Closed Source and Source Available?

Neither is open source. If you need true freedom to fork, redistribute, and run commercially without permission, an OSI-approved license (MIT, Apache 2.0, AGPL) is the only real answer — both options here fall short of that bar.

🧊
The Bottom Line
Source Available wins

When the vendor inevitably gets acquired, jacks prices, or sunsets the product, source-available leaves you something to audit, patch, and fork into a private build. Closed source leaves you a support ticket and a prayer. Visibility plus a license you can read beats a sealed box you can't.

Related Comparisons

Disagree? nice@nicepick.dev