Closed Source vs Source Available
Closed source hides the code; source-available shows it but chains your hands with a license. Neither is open source. Here's which licensing posture actually protects you when the vendor turns hostile.
The short answer
Source Available over Closed Source for most cases. When the vendor inevitably gets acquired, jacks prices, or sunsets the product, source-available leaves you something to audit, patch, and fork into a private.
- Pick Closed Source if buying a SaaS where you'll never touch the code anyway, the vendor is large and durable, and you want zero licensing-compliance overhead — closed source is one less thing to read
- Pick Source Available if need to audit security, self-host, patch around vendor neglect, or survive an acquisition. Source-available gives you the code and a clear (if restrictive) license — leverage closed source never offers
- Also consider: Neither is open source. If you need true freedom to fork, redistribute, and run commercially without permission, an OSI-approved license (MIT, Apache 2.0, AGPL) is the only real answer — both options here fall short of that bar.
— Nice Pick, opinionated tool recommendations
What They Actually Are
Closed source means the binary ships and the source stays in the vendor's vault — you get a product, not a codebase. Source-available means you can read, and often build, the full source, but a non-OSI license dictates what you're allowed to do with it: no competing commercial use, no redistribution, sometimes a time-delayed open release. People conflate source-available with open source constantly, and that confusion is exactly what BSL, SSPL, and the Elastic License were designed to exploit. The distinction that matters isn't 'can I see the code' — it's 'what am I legally permitted to do once I've seen it.' Closed source answers that with silence. Source-available answers with a paragraph of restrictions you must actually read. One gives you nothing and admits it; the other gives you visibility and fine print. Know which contract you're signing before the renewal invoice arrives and your options narrow to zero.
Security & Auditing
Closed source asks you to trust a SOC 2 PDF and a marketing page. You cannot verify the crypto, find the hardcoded credential, or confirm the telemetry isn't shipping your data somewhere ugly — you file a ticket and wait for a vendor whose incentive is to downplay. Source-available hands you the actual code. Your security team can grep for the backdoor, reproduce the build, and confirm what runs in your network. 'Many eyes make bugs shallow' is overstated — most source-available projects get audited by nobody — but the option exists, and for regulated industries that option is the difference between an approval and a hard no. Closed source forces you to outsource your threat model to a stranger's roadmap. Source-available lets you own it. When a CVE drops, one camp waits for a patch on the vendor's timeline; the other can read the diff, assess exposure, and mitigate today. That gap is not theoretical.
Lock-in & The Exit
This is where closed source quietly bills you for the rest of your life. No source means no self-host fallback, no fork, no in-house patch when the vendor deprecates the feature you built on. When they get acquired and 10x the price — and they will — your only move is to rip and replace, which is exactly why they price like they own you. Source-available isn't freedom, but it's a parachute: you can run it yourself, patch around abandonment, and keep a private fork alive long after the company pivots or dies. The BSL crowd (HashiCorp, Sentry, MongoDB's SSPL) restricts commercial competition, not your internal use — so for most buyers the restriction never bites. The escape hatch does. Closed source optimizes the vendor's leverage; source-available leaves a sliver of yours. In a multi-year dependency, that sliver is the whole game, and pretending otherwise is how procurement gets ambushed.
The Honest Caveat
Don't mistake source-available for a moral high ground — it's a commercial weapon dressed as transparency. BSL and SSPL exist to stop AWS from reselling the product, and that same license can forbid the SaaS you wanted to build on top of it. Read it before you architect. Closed source, for all its opacity, is at least honest about the deal: you rent, you don't own, the end. And a large, stable closed-source vendor (your cloud provider, your IdP) is often a safer bet than a venture-backed source-available startup that relicenses the moment growth stalls — which has happened repeatedly. The real failure mode isn't picking wrong; it's assuming source-available means open source and discovering at scale that you can't legally do the thing your whole roadmap depends on. If you need genuine freedom, neither wins — go OSI-licensed. If you must choose between these two, source-available's exit beats closed source's leash.
Quick Comparison
| Factor | Closed Source | Source Available |
|---|---|---|
| Code visibility | None — binary only, vault-locked source | Full read access, usually buildable |
| Security auditability | Trust the vendor's attestations and tickets | Audit, grep, and reproduce the build yourself |
| Lock-in / exit options | Rip-and-replace only; vendor owns leverage | Self-host and private-fork parachute exists |
| Licensing simplicity | Just a rental EULA, nothing to comply with | Restrictive non-OSI license you must read closely |
| True open-source freedom | No redistribution, no fork, no freedom | Restricted — not OSI, commercial limits apply |
The Verdict
Use Closed Source if: You're buying a SaaS where you'll never touch the code anyway, the vendor is large and durable, and you want zero licensing-compliance overhead — closed source is one less thing to read.
Use Source Available if: You need to audit security, self-host, patch around vendor neglect, or survive an acquisition. Source-available gives you the code and a clear (if restrictive) license — leverage closed source never offers.
Consider: Neither is open source. If you need true freedom to fork, redistribute, and run commercially without permission, an OSI-approved license (MIT, Apache 2.0, AGPL) is the only real answer — both options here fall short of that bar.
Closed Source vs Source Available: FAQ
Is Closed Source or Source Available better?
Source Available is the Nice Pick. When the vendor inevitably gets acquired, jacks prices, or sunsets the product, source-available leaves you something to audit, patch, and fork into a private build. Closed source leaves you a support ticket and a prayer. Visibility plus a license you can read beats a sealed box you can't.
When should you use Closed Source?
You're buying a SaaS where you'll never touch the code anyway, the vendor is large and durable, and you want zero licensing-compliance overhead — closed source is one less thing to read.
When should you use Source Available?
You need to audit security, self-host, patch around vendor neglect, or survive an acquisition. Source-available gives you the code and a clear (if restrictive) license — leverage closed source never offers.
What's the main difference between Closed Source and Source Available?
Closed source hides the code; source-available shows it but chains your hands with a license. Neither is open source. Here's which licensing posture actually protects you when the vendor turns hostile.
How do Closed Source and Source Available compare on code visibility?
Closed Source: None — binary only, vault-locked source. Source Available: Full read access, usually buildable. Source Available wins here.
Are there alternatives to consider beyond Closed Source and Source Available?
Neither is open source. If you need true freedom to fork, redistribute, and run commercially without permission, an OSI-approved license (MIT, Apache 2.0, AGPL) is the only real answer — both options here fall short of that bar.
When the vendor inevitably gets acquired, jacks prices, or sunsets the product, source-available leaves you something to audit, patch, and fork into a private build. Closed source leaves you a support ticket and a prayer. Visibility plus a license you can read beats a sealed box you can't.
Related Comparisons
Disagree? nice@nicepick.dev