There’s a popular WordPress vulnerability scanner called WPScan. To validate its popularity: it has over 1,800 commits, 750 stars, and 165 forks on Github.
The scanner is used by a lot of security folks, as well as other service and product vendors. The plugin has historically been split license, sort-of, between GPL and some kind of home-cooked non-commercialization clause. The problem is the GPL can’t come with a clause like that.
It turns out that folks did package WPScan with commercial entities and then the WPScan folks got upset (so the story goes, at least). Now, they’ve changed the license, but without getting the approval of the contributors, which the license change requires. You may recall VVV establishing a license recently as well (Github discussion | WPTavern story), where they had to get contributor approval just to go from unlicensed to MIT.
WPScan has gotten themselves in a pickle. The folks at a company called Delve Labs have been having a beef with WPScan over it, so now they’ve forked WPScan to create Vane, which will be 100% GPL.
Moral of the story: your license matters, so consider it wisely. And if you choose to adopt a license, know what you can and can’t do with it. With the GPL, one of the repercussions — or freedoms, considered differently — is that people can still monetize your freely provided code. That’s one of the things you accept.
