ZAP – Should ZAP Switch to a Non-OSI Approved Licence?
ZAP is probably the world’s most popular web scanner, and is the basis for over a dozen commercial DAST services .. but getting people to pay us to maintain it has proved VERY difficult.
We, the core team, are fans of Open Source and want ZAP to be free for everyone to use, but so far (with the exception of the time limited funding from Crash Override) we have not been able to get enough support to make ZAP development sustainable.
Obviously we could just go commercial and make future versions of ZAP closed source, but I honestly believe that the world needs an open source web scanner like ZAP.
I think it makes sense for the companies building commercial services on top of ZAP to fund the core ZAP development. It is very disappointing that to date most of them are not supporting ZAP to the level that will make us sustainable.
One option we were looking at is dual licensing ZAP, with AGPLv3 being the open source licence. Unfortunately, based on legal advice, we now do not think that AGPL will be enough to “encourage” the companies building commercial services on top of ZAP to purchase a commercial licence.
