LEGAL · LICENSE + TRADEMARK

License + trademark

Plain-English explainer for the Apache 2.0 license + the trademark carve-out. The full legal text is in the LICENSE and NOTICE files at the root of the source tree.

AT A GLANCE

Meridian is licensed under the Apache License 2.0. That means: free to install, modify, distribute, and use commercially, with two real constraints — preserve the LICENSE + attribution notices, and don't use the "MeridianNIP" name or logo on your own fork (trademark, separate from license). There are no paid tiers, no license keys, no commercial agreements required, no telemetry, no expiry. Everyone gets full feature parity.

1. The Apache 2.0 grant

Under Apache 2.0, you may, at no cost, without contacting anyone:

Install and run Meridian on any number of hosts for any purpose — personal lab, home network, corporate intranet, paid consulting work, customer deployments, anything.
Modify the source for your own needs.
Distribute modified versions, including commercially.
Receive a perpetual patent license from every contributor for patent claims their contributions necessarily use. This is the main reason Apache 2.0 is enterprise-friendly: corp legal teams know they can't be patent-trolled later by the same people who contributed code.

Conditions when you redistribute (your own use is unconditional):

Include the LICENSE in the distribution.
Note any changes you made to files (Apache 2.0 calls this "carry prominent notices stating that You changed the files").
Preserve copyright + attribution notices (see NOTICE).
If you ship a derivative under your own name, use a name and logo that aren't "MeridianNIP" (see trademark section below).

2. Trademark — "MeridianNIP"

Apache 2.0 grants a copyright + patent license. It explicitly does not grant rights to use the licensor's trademarks (LICENSE Section 6). For Meridian, that matters in one specific way:

The product name MeridianNIP is a trademark.
The MeridianNIP logo (the green-on-dark "M" badge) is a trademark.
If you fork this codebase and ship your own distribution, your distribution must use a different name and a different logo. Pick one — there are plenty of good ones available.
You can absolutely run the original MeridianNIP build internally and tell people you use MeridianNIP. That's nominative fair use, not branding your derivative.
You can also strip the "Powered by Meridian" footer on your own deployment via Admin → Branding. That's allowed because it's your deployment, not a re-branded distribution.

WHY THE CARVE-OUT

Permissive OSS licenses without trademark protection lead to a pattern where some vendor takes the code, makes minimal changes, charges money under the original name, and degrades the brand for everyone who recognises it. Apache 2.0 Section 6 + a trademark are the standard pair of tools to prevent that without restricting actual code reuse. See: PostgreSQL, Kubernetes, Apache Cassandra — same pattern.

3. Restrictions that apply to everyone

You may not remove or alter copyright, trademark, or license notices in the software or its documentation. Apache 2.0 Section 4(c).
You may not use the "MeridianNIP" name or logo on your fork or derivative (Section 6 / trademark).
You may not sue MeridianNIP or other contributors over patents in this code and keep using it — that automatically terminates your patent license (Section 3).

4. Data, privacy, telemetry

Meridian runs entirely on your own infrastructure. Operational data (scan results, monitor history, audit log, configuration, secrets) stays on-box. The portal makes no outbound calls to MeridianNIP or anyone else by default. The only outbound traffic the core portal performs is what you explicitly configure:

External threat-intel API calls when an operator clicks a tool button (Censys, Shodan, VirusTotal, etc.) — all rate-limited per the safety caps in app/safety/limits.py.
Optional vendor repository access for OS package mirroring (Debian apt).
Let's Encrypt ACME calls if you chose that SSL method.

Installs configured with install.sh --airgapped skip even the apt / Let's Encrypt paths.

5. Warranty disclaimer

Meridian is provided "AS IS" without warranty of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, and non-infringement. The licensee is responsible for validating that the software meets their operational and compliance needs before deploying it on production networks. See LICENSE Section 7.

6. Limitation of liability

To the maximum extent permitted by applicable law, in no event will any contributor be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or relating to the use or inability to use the software, even if advised of the possibility of such damages. See LICENSE Section 8.

7. Contributing

Contributions are accepted under the same Apache 2.0 terms (Section 5: any contribution submitted is automatically under the license unless you explicitly state otherwise). Project standards live in CONTRIBUTING.md in the source repo at github.com/MeridianNIP/meridian.

Contact

Bug reports, feature requests, and code questions go on GitHub Issues. The project is community-supported — no paid SLA exists.

MERIDIAN · DOCUMENTATION