ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During an operational risk analysis, you discover that developers intend to statically link a GPLv3-licensed image-processing library into the company's proprietary desktop application, which will be shipped to customers. Which copyright-related risk should be highlighted to management?

The company must purchase a separate commercial license from the library's authors before any internal or external use.
The product must display an open-source attribution notice, but the proprietary code can remain closed-source without further obligations.
GPLv3's copyleft terms could compel the company to release the entire application's source code under the same license, eliminating its proprietary protection.
All company-held patents would be automatically transferred to the maintainers of the GPL project upon distribution of the product.

Report Issue

Answer Description

Because the application will be distributed in binary form, the strong copyleft provisions of GPLv3 extend to the entire combined work. This would legally require the company to provide complete corresponding source code to recipients under the same GPLv3 terms, effectively forcing the firm to surrender its proprietary rights. Purchasing a separate commercial license is not an inherent requirement of GPLv3, merely an optional alternative the rightsholder may or may not offer. Merely adding an open-source notice does not satisfy GPLv3, and the license does not mandate patent transfer-only a patent grant to users of the covered work. Therefore, the obligation to disclose and relicense the application's source code is the most direct intellectual-property risk.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.