# ADR-0001: License the standard, the skill, and the specimens under MIT ## Status Accepted ## Date 2026-05-06 ## Context The Defensive OpSec Operating Standard, the agent skill, and the specimens are intended to be cited, forked, lifted, and adapted by other security teams, agent-skill authors, OWASP / NIST / CISA work products, and downstream tooling. The license must: - Permit unrestricted commercial use, including by competing AppSec vendors and by closed-source enterprise security teams. - Permit modification and redistribution without copyleft propagation. - Be familiar enough that adopters do not need legal review to lift the artefacts. - Be compatible with the upstream `vercel-labs/deepsec` scanner license (Apache-2.0). The standard is *vocabulary, not certification* (Rule 4). The license must reinforce that framing. Adopters should be able to cite or republish without procurement friction. ## Decision License everything in this repository under MIT. ## Alternatives Considered ### Apache-2.0 (matches upstream `deepsec`) - Pros: Same license as `vercel-labs/deepsec`; explicit patent grant; broad enterprise comfort. - Cons: Heavier text; not the convention for documentation-shaped artefacts. - Rejected: MIT is the dominant license for skill-format documents and operating standards in this ecosystem; Apache compatibility is preserved (MIT-licensed work can be combined with Apache-2.0). ### CC BY-SA 4.0 (Creative Commons Attribution-ShareAlike) - Pros: Built for documentation; mandates attribution preserved on derivatives. - Cons: Copyleft propagation is a procurement blocker for many enterprise security teams; ShareAlike clashes with downstream tools that may want to incorporate snippets without re-licensing. - Rejected: The standard's leverage depends on adopters being able to lift it without legal review. ### Public domain (CC0) - Pros: Zero friction. - Cons: No attribution requirement, no warranty disclaimer; some jurisdictions don't recognise public-domain dedication. - Rejected: Light attribution discipline is what makes the citation pattern work. ### No license / "all rights reserved" - Pros: Maximum control. - Cons: Defeats the entire purpose of publishing a citable standard. - Rejected on first principles. ## Consequences - Adopters can fork, cite, paste-into-CLAUDE.md, and republish derivatives without procurement review. - Compatible with Apache-2.0 (`deepsec`), GPL, BSD, and most other open licenses for combination. - Attribution is the only durable obligation on adopters. Preserved by the credit-and-scope sections in `standard.md` and `README.md`. - The standard's reach is bound only by its quality, not by license-compatibility friction.