I have a really stupid question. One that hasn't been relevant since the 1990's, but here we are.

Does anybody know if there is a breakdown of #OpenSource #licenses that either explicitly do, or explicitly do not permit them to be in scope of #PenetrationTesting?

I can't go into details about who or why, but it's come up at work and the legal team is now sitting with their heads on their desks weeping openly.

Please boost. A helpful paper might come out of this that will help a lot of people.