When a software vendor bundles Oracle Java inside their product, most enterprises assume the vendor carries the licence. They usually don't. This is a forensic look at Java third party apps licensing — who is actually liable when Oracle JDK arrives inside someone else's software, and how to push back when Oracle bills you for it.
Short answer: When third-party software bundles Oracle Java, the vendor's redistribution agreement only covers the JDK when it runs solely with that one application. Any other use — or a vendor without valid redistribution rights — makes the end customer liable for an Oracle Java SE subscription on the Employee Metric.
The end customer is liable by default. Oracle Java third party apps licensing follows a simple principle Oracle's audit team relies on: the deployment lives on your estate, so the obligation attaches to you unless you can prove someone else's licence covers it. A vendor bundling Oracle JDK does not automatically transfer protection to your organization.
A redistribution licence is a contract between Oracle and the software vendor (the ISV) that permits the vendor to ship Oracle Java with their product. It does one thing: it lets the vendor's application run on Oracle JDK without the customer needing a separate subscription — but only for that application, and only if the vendor actually holds the agreement. Three failure modes turn this protection into your problem. The vendor never held a valid redistribution agreement. The agreement expired or was never renewed. Or your teams used the bundled runtime for something other than the vendor's application. Any one of these collapses the defence and exposes you to Oracle's Employee Metric.
This is why "it came pre-installed with our ERP" is not, on its own, a defence Oracle accepts. Oracle's position in audit is that you must produce evidence the vendor was licensed to redistribute and that the runtime was used only as bundled. The burden of proof sits with the buyer. Our Oracle Java Licensing service assembles that evidence forensically — and challenges every install Oracle tries to count that the vendor's agreement actually covers.
Most enterprises carry Oracle JDK inside a dozen vendor products and never knew. Our Java Licensing team maps every bundled and standalone runtime before Oracle does — turning audit exposure into a defensible position.
An ISV redistribution licence is a negotiated agreement that grants a software vendor the right to embed and distribute Oracle Java with their commercial product, passing limited runtime rights to the vendor's end customers. The scope is narrow by design — Oracle drafts these agreements so that protection stops at the boundary of the vendor's application.
Under a typical redistribution arrangement, the vendor may ship Oracle JDK as part of their installer, the customer may run that JDK to operate the vendor's application, and the customer needs no Java SE subscription for that specific, bounded use. What the agreement never grants is the right for the customer to point the same JDK at other workloads, run developer tooling against it, schedule unrelated scripts on it, or treat it as a general corporate Java runtime. The moment the runtime serves anything beyond the vendor's app, the bundled protection evaporates and the Employee Metric applies to your whole organization.
There is a second, quieter trap: not every vendor that bundles Oracle JDK actually holds a current redistribution agreement. Some shipped Oracle JDK under older, more permissive licence terms that Oracle has since changed. Others bundled it without any agreement at all and are simply hoping Oracle never audits their customer base. When Oracle finds the install on your servers, Oracle pursues you — the deployment is yours — and your only recourse is contractual indemnity from the vendor, which most enterprise agreements do not contain.
| Scenario | Runtime shipped | Who is liable | Subscription needed? |
|---|---|---|---|
| Vendor with valid redistribution agreement; app-only use | Oracle JDK | Vendor (covered) | No |
| Vendor agreement valid; you reuse JDK for other workloads | Oracle JDK | You | Yes — full Employee Metric |
| Vendor never held redistribution rights | Oracle JDK | You | Yes — back-licence exposure |
| Vendor ships an OpenJDK build | Temurin / Corretto / Zulu | No Oracle obligation | No |
| Vendor lets you supply your own runtime | Your choice | You control it | No (if you use OpenJDK) |
The pattern is unmistakable: the safest position is a vendor that either holds a verifiable redistribution agreement or — better still — supports a customer-supplied OpenJDK runtime. Our complete Oracle Java Licensing Guide sets out how the Employee Metric is calculated once a general-purpose obligation is triggered.
Bundled Java is an Oracle JDK shipped with, and used exclusively by, a single application under that vendor's redistribution licence. General-purpose Java is any use of the runtime beyond that one application — and general-purpose use is never covered by a vendor's redistribution rights. This single distinction decides almost every contested third-party Java finding.
The distinction sounds clean on paper and gets messy in production. A vendor ships Oracle JDK 17 to run their analytics platform — that is bundled use. But then a system administrator notices the JDK is already installed, and uses it to run a nightly data-export script unrelated to the analytics platform. That script is general-purpose use. It does not matter that the runtime arrived bundled; the new workload is outside the vendor's licence, and Oracle treats the entire organization as requiring an Employee Metric subscription from that point forward.
This is precisely the behaviour Oracle's audit playbook is built to surface. Oracle's licence measurement team knows that shared servers blur the boundary, that administrators reuse whatever runtime is already present, and that few enterprises document which JDK serves which workload. The compliance gap is not technical — it is organizational. Treat every bundled Oracle JDK as a runtime that must be ring-fenced to its single application, or assume Oracle will argue it became general-purpose. Our analysis of bundled-Java findings shows that uncontrolled reuse of a vendor-supplied JDK is the most common trigger Oracle cites when escalating a "limited" bundled install into a full-organization back-licence claim (Oracle Licensing Experts engagement data, 2026).
Oracle detects bundled Java exactly the same way it detects standalone Java: its LMS (License Management Services) scripts, now run under Oracle GLAS, scan each machine for every Oracle JDK and JRE binary, read the release files, and report the version, vendor, and install path. The scripts do not know or care that a runtime arrived inside a vendor product — they count the binary.
That is the crucial point for buyers: Oracle's raw discovery output makes no distinction between a JDK that came bundled with a licensed vendor application and one a developer downloaded directly. Both appear in the count as Oracle Java. The "this was bundled and covered" argument is not something Oracle's tooling credits automatically — it is a defence you must construct after the fact, with the vendor's redistribution agreement, install evidence, and proof the runtime served only the bundled application. If you cannot produce that evidence, Oracle counts the install against your Employee Metric.
Oracle reinforces detection with off-server signals: My Oracle Support download logs, Java update traffic from corporate IP ranges, and OTN licence acceptances tied to corporate accounts. When those signals show your organization pulling Oracle Java updates, Oracle has a strong opening to argue general-purpose use regardless of how the runtime was originally installed. Understanding how Oracle detects Java across your estate is the first step in deciding what you actually need to defend — and what you can remove before the scripts ever run.
Never submit LMS script output before independent review. Our Oracle Audit Defense team separates bundled, covered installs from genuine exposure — and challenges Oracle's count line by line.
You defend a third-party Java audit claim by proving, install by install, that each Oracle JDK either falls under a valid vendor redistribution agreement used only as bundled, or has been removed. Defence is evidence-based and adversarial — you challenge Oracle's blanket count rather than accepting it. The work breaks into a disciplined sequence:
This is forensic work, and the savings are real. Across contested third-party-Java engagements, separating covered bundled installs from genuine general-purpose exposure and remediating reuse reduces Oracle's assessed Employee count by 20–45% (Oracle Licensing Experts engagement data, 2026). The Telecom Java Audit Defense case study shows the same evidence-based approach taking a $4.2M Oracle Java claim to zero.
The contract term that protects you is a specific Java indemnity in your agreement with the software vendor — a clause where the vendor warrants it holds valid Oracle redistribution rights for any Java it bundles and indemnifies you against any Oracle claim arising from that bundled runtime. Without it, the vendor's licensing risk silently becomes your audit exposure.
Most enterprise software agreements contain a generic third-party-components clause that quietly shifts all embedded-software risk onto the customer — the opposite of what you want. When you procure or renew any product that may bundle Java, negotiate three protections. First, a warranty that the vendor holds and will maintain valid Oracle Java redistribution rights for the life of the agreement. Second, an express indemnity covering Oracle Java SE subscription costs, back-licence claims, and audit defence expenses arising from the bundled runtime. Third, a commitment to support a customer-supplied OpenJDK runtime, so you can remove the Oracle dependency entirely if Oracle's terms shift again.
These are buyer-side terms you must push back for during procurement, because no vendor offers them voluntarily. Our Oracle contract negotiation team drafts and red-lines Java indemnity language into software agreements, and our Oracle Negotiation Guide sets out the wider playbook for protecting against Oracle's agenda. When the obligation is unavoidable, the next decision is whether to license or migrate — and that is a benchmarking exercise, not a guess.
Our guide covers bundled-Java liability, redistribution-clause analysis, Employee Metric calculation, LMS script defence, and OpenJDK migration planning — with data from 120+ Java SE engagements. Download free.
Download Free Guide →Often yes. A vendor's redistribution agreement with Oracle only covers the bundled JDK when it is used solely with that vendor's application. If your teams use the same Java runtime for any other purpose, or if the vendor never held a valid redistribution licence, the general-purpose use falls back on you and requires an Oracle Java SE subscription on the Employee Metric.
Read the vendor's licence terms and ask for written confirmation that they hold an Oracle Java redistribution agreement covering your use. If the vendor distributes an OpenJDK build (Temurin, Corretto, Zulu) rather than Oracle JDK, no Oracle subscription is required at all. The distinction is the binary on disk, not the brand of the application.
Yes. Oracle's LMS scripts detect every Oracle JDK and JRE binary on a machine regardless of how it got there. Oracle does not distinguish bundled installs from standalone ones in the raw count — that distinction is an argument you must make with evidence during the audit, not something Oracle credits automatically.
Oracle will pursue the end customer for the subscription, because the deployment sits on your estate. Your recourse against the vendor is contractual — an indemnity clause in your software agreement. Most enterprises discover too late that their vendor contract contains no Java indemnity, leaving them carrying Oracle's back-licence claim.
Bundled Java is an Oracle JDK shipped with and used exclusively by one application under that vendor's redistribution licence. General-purpose Java is any use beyond that single application — running scripts, other apps, or development against the same runtime. General-purpose use is never covered by a vendor's redistribution rights and requires your own subscription.
Sometimes. If the vendor supports running their application on a customer-supplied OpenJDK build, swapping Oracle JDK for Temurin or Corretto removes the Oracle licence obligation entirely. If the vendor mandates their bundled Oracle JDK and refuses to support alternatives, the obligation stays — push the vendor to either license it or certify an OpenJDK runtime.
Stay ahead of Oracle's Java licensing tactics. Receive bundled-software red flags, Employee Metric updates, and negotiation data from active engagements — every week.
Oracle Licensing Experts Team — Former Oracle licensing executives, LMS auditors, and contract managers, now working exclusively for enterprise buyers. Not affiliated with Oracle Corporation. About our team →