Fortify perpetual versus term license positions

Two buyers can run identical Fortify deployments and face very different audit exposure, purely because of how their licenses are structured. A Fortify perpetual versus term license position changes what the vendor can claim, how back maintenance is calculated, and what a settlement should look like. Before challenging a finding, a buyer needs to know exactly which model governs each entitlement, because the defense differs in each case.

This article explains the two models, where each one creates exposure, and how the distinction shapes a rebuttal. It supports our Fortify and AppSec audit defense practice and links up to the complete OpenText audit defense playbook for 2026.

The two models

A perpetual license grants the right to use a specific version of the software indefinitely, usually paired with a separate maintenance and support subscription that delivers updates and entitles the buyer to support. A term license grants the right to use the software for a defined period, after which the right lapses unless renewed. Maintenance is typically bundled into a term arrangement rather than purchased separately.

The distinction matters in an audit because the remedy structure attaches differently. On a perpetual estate, a shortfall is treated as licenses the buyer is deemed to have acquired at the then current list price, plus back maintenance and support, plus first year maintenance on the new licenses. On a term estate, the question is whether usage exceeded the term entitlement during the period, which is a different calculation with a different time boundary.

Where the perpetual model creates exposure

On a perpetual estate the dangerous figure is back maintenance. When the vendor deems additional licenses to have been acquired, it also claims the maintenance that would have been paid on them across the period of alleged overuse, and then first year maintenance on top. This is the remedy stacking that turns a modest seat overclaim into a large number. The defense is to attack the seat count itself, because every seat removed removes a license, its back maintenance, and its first year maintenance at once. This compounding is why the seat definition work covered in what counts as a Fortify developer seat in an audit is so valuable on perpetual estates.

Where the term model creates exposure

On a term estate the exposure is concentrated in the measured window. The vendor will look at peak usage during the term and ask whether it exceeded the quantity purchased. Here the defense focuses on whether the peak was real and sustained or an artifact of how usage was counted. Burst activity, decommissioned projects, and non production scanning can all inflate an apparent peak. The reinstatement question also arises if maintenance lapsed, which we treat in Fortify perpetual maintenance reinstatement in a finding.

Reading your own entitlements

Many estates are mixed. A buyer may hold perpetual SCA licenses with separate maintenance alongside term subscriptions for WebInspect or Fortify on Demand. The audit will not separate these for you, and a finding often applies a single remedy framework across the whole estate. The first reconstruction step is to inventory every entitlement and label it perpetual or term, with the maintenance status of each. Only then can the remedy be priced correctly per line. This inventory is part of reconciling Fortify entitlements before an audit.

A representative outcome

In a recent technology sector engagement, the opening finding applied the full perpetual remedy, with back maintenance and first year maintenance, to a developer seat overclaim. By reconstructing the actual seat consumption and correctly separating perpetual entitlements from term subscriptions, we removed both the inflated seat count and the back maintenance attached to seats that were never genuinely consumed. The settlement landed at a fraction of the claim, in the range we see consistently on these matters. That engagement is the one we file as E-02.

The negotiation angle

The license model also shapes the forward outcome. A finding is an opportunity to convert a messy mix of perpetual and term entitlements into a single clean agreement with defined metrics and audit protections. That conversion is the fourth of our four operations and the subject of the OpenPass work referenced throughout the playbook. Knowing the perpetual versus term position going in lets the buyer choose the structure rather than inherit one.

How the license model shapes the forward agreement

The perpetual versus term distinction does not end when the finding is priced. It shapes what a buyer should ask for on the way out. A finding is the moment of maximum leverage to convert a tangled mix of perpetual licenses, separate maintenance streams, and term subscriptions into a single agreement with defined metrics and written audit protections. Knowing the model of each entitlement going in lets the buyer decide which structure to carry forward rather than inheriting whatever the vendor proposes. A buyer with mostly perpetual entitlements may want to preserve perpetual rights while capping future maintenance increases. A buyer leaning on term subscriptions may prefer predictable renewal terms and clear capacity definitions so that the next measurement cannot be reopened on a shifting metric.

The Resolve operation is where this happens. We settle the finding on the buyer's terms and convert forward into a clean agreement that closes the ambiguities the audit exploited. The most valuable protections are precise: a defined seat metric that ties Fortify use to scan submission, environment terms that treat non production scanning under its own rules, and a measurement method agreed in advance so the next review starts from data rather than from a directory export. A buyer who understands the perpetual and term position of every line can negotiate each of these deliberately. A buyer who does not often accepts a forward structure that recreates the exposure the finding just resolved, which is why the license model reading is as much a forward planning exercise as a defensive one.

The practical takeaway is to never let a single remedy framework be applied across a mixed estate without challenge. Perpetual lines carry the deemed acquisition remedy with its stack of back maintenance and first year maintenance, while term lines turn on whether usage exceeded the entitlement during a defined period. A finding that ignores this distinction prices the whole estate at the harsher framework and overstates exposure on every line that should have been treated under the other model. The buyer who inventories each entitlement, labels it perpetual or term with its maintenance status, and insists the remedy match the model recovers value that a single blanket calculation would have quietly conceded.

For the seat counting methodology behind the reconstruction, read the Fortify seat counting white paper.