A $130M company faked trials instead of running our free OSS

Summary

🚀 Of trials and tribulationsOpen Source is beautiful. Messy, thankless, powerful — and occasionally just plain weird.At Vates, we’ve already shared some of the pain points that come with maintaining open source projects (see: OSS maintainer fatigue). And more recently, the rise of AI-assisted fake contributions and “security reports” has added a whole new layer of entropy. (this blog post captures it perfectly.)But today, we’re here for something a little more… grounded.🧑‍🚀 The curious case of the infinite trialLet’s set the stage. Picture a semi-governmental company. Around $130 million in annual revenue. They build and operate very expensive things — in space. Hundreds of physical hosts. Nearly 4,000 VMs. Most of their IT stack, in fact, runs on our platform.🚀You might say we’re mission critical. Fitting, since the XCP-ng logo is literally a rocket, and Xen Orchestra’s is a satellite. We didn’t expect someone to take that so literally.Are they paying customers?No.Are they using the fully open-source version, from source?Also no.Instead, they discovered our Xen Orchestra Appliance (XOA): a turnkey virtual machine, with Xen Orchestra pre-installed, regularly tested, easy to deploy and update (and yes, still running fully on-prem). A supported and stable experience, designed for teams that don’t want to git pull on master branch in production.But they didn’t want to pay for it. So they came up with a creative workaround: abusing our 30-day trial (initially 15 days until recently), over and over again.It all started back in April 2015 — yes, a full decade ago. At first, they used their corporate emails to request trials. One here, one there. Nothing suspicious. But over the years, the pattern grew. More emails. More trials. Enough that, when we looked back, we realized we could chart it. Literally. Here's what the "creative licensing strategy" has looked like over time:Number of accounts we could confidently tie to the company. Probably not even the full picture — the...