Releasing code under the wrong licence, or publishing behind a paywall when your funder requires open access, are both avoidable mistakes. This article explains the licence landscape for software and research publications so you can make deliberate choices about how your work reaches the world.
Sign in to mark this article as read and track your progress.
Producing research — writing code, collecting datasets, publishing papers — creates intellectual property. Without an explicit licence, the default in most jurisdictions is "all rights reserved": no one may use, copy, modify, or redistribute your work without asking your permission individually. A licence is a legally binding statement of what others are allowed to do with your work without needing to ask.
Two separate licence systems apply to research outputs: one for software and data (open-source licences and Creative Commons), and one for published papers (open access models).
Open-source licences allow others to use, study, modify, and distribute software. The key distinction among them is copyleft: whether a modified version must also be released under the same licence.
MIT Licence — the most permissive widely-used licence. Anyone may use, copy, modify, and distribute the software, including in proprietary products, as long as the original licence text and copyright notice are included. Used by: NumPy, Flask, jQuery.
Apache 2.0 — similar to MIT but adds an explicit patent grant: contributors give up the right to sue downstream users over patents covering the contributed code. Used by: TensorFlow, Kubernetes, Android.
The practical difference between MIT and Apache 2.0 matters most to commercial users. For academic code releases, either is appropriate; Apache 2.0 is preferred when the code may contain novel algorithmic ideas that could attract patent claims.
GNU General Public Licence (GPL v3) — anyone may use and modify the software, but any modified version distributed publicly must also be released under GPL. You cannot take GPL code, improve it, and release the improvement as proprietary. Used by: Linux kernel (GPL v2), GCC, WordPress.
GNU Affero General Public Licence (AGPL v3) — extends GPL to cover software run as a service: if you deploy AGPL software over a network, you must release your source code even if you never distribute a binary. Used by: MongoDB (older versions), Nextcloud.
GNU Lesser GPL (LGPL) — a middle ground that allows proprietary software to link against an LGPL library without triggering copyleft, as long as the library itself remains LGPL.
For academic research code where wide adoption and reproducibility matter, MIT or Apache 2.0 minimises friction. For code that embodies a public good (security tools, privacy-preserving algorithms) where preventing proprietary capture matters, GPL or AGPL may be appropriate. The Open Source Initiative (OSI) certifies licences as meeting the Open Source Definition; use only OSI-certified licences for work you intend to be genuinely open source.
Creative Commons (CC) licences are designed for creative and academic works — papers, datasets, educational materials — not for software (which is better served by OSI licences). They are modular: each licence is a combination of four elements:
| Element | Meaning |
|---|---|
| BY (Attribution) | You must credit the original author |
| SA (ShareAlike) | Derivatives must carry the same licence (copyleft) |
| NC (NonCommercial) | Commercial use is prohibited |
| ND (NoDerivatives) | No modified versions may be distributed |
Common combinations used in research:
Open access means that a published paper is freely readable by anyone with an internet connection, without a subscription paywall. Three models exist:
Gold open access — the paper is published immediately in open-access form in a journal that makes it freely available. The cost is typically an Article Processing Charge (APC) paid by the author or their institution — commonly £1,000–£3,000 for established journals. The Directory of Open Access Journals (DOAJ) lists legitimate gold-OA venues.
Green open access (self-archiving) — the paper is published in a subscription journal, but the author deposits a version (typically the accepted manuscript, not the final typeset version) in an institutional repository or preprint server. No APC is paid. Most major publishers now permit some form of green OA with an embargo period (typically 6–12 months for computing).
Diamond open access — the paper is freely available and no APC is charged. The journal's costs are covered by institutions, professional societies, or grants. Most workshop proceedings in computer science are diamond OA. The quality of diamond-OA venues varies: some (like ACL Anthology and many IEEE/ACM workshops) are well-regarded; others are not.
A preprint is a version of a paper posted publicly before (or simultaneously with) peer review. Preprint servers provide open access to research at the moment of completion, not after a 12-month embargo.
| Server | Field |
|---|---|
| arXiv.org | Computer science, mathematics, physics, statistics |
| bioRxiv / medRxiv | Biology, medicine |
| SSRN | Social sciences, law, economics |
| TechRxiv | Electrical engineering, technology |
Posting a preprint does not prevent subsequent journal submission in most fields. It establishes priority (the timestamp proves you completed the work first), allows community feedback before formal peer review, and makes results immediately available. The majority of ML and security research appears on arXiv before journal publication.
Not all open-access journals are legitimate. Predatory journals charge APCs but perform no genuine peer review — they accept papers without scrutiny to collect fees. Warning signs: unsolicited emails with excessive praise, implausibly fast "peer review" (days), journals covering improbably broad topic areas, impact factors that cannot be verified.
The Beall's List (maintained in archived form) and Cabell's Predatory Reports document known predatory venues. Publishing in a predatory journal damages rather than builds a research record — the paper may be retracted, and hiring committees recognise predatory venues.
Many research funders now require open access:
Verify the open-access requirements of any grant before selecting a publication venue, since non-compliance can affect future funding.
A student has written a malware detection tool in Python during their dissertation, using scikit-learn (BSD licence) and PyTorch (BSD licence). They want to release the code so that: (a) any researcher can use and modify it freely, (b) companies cannot incorporate it into proprietary products without releasing their modifications.
Which licence should they choose and why? Would MIT be appropriate? What if they also want to release their labelled malware dataset — which Creative Commons licence would be most appropriate, and why?