The most common Oracle Java audit story in 2026 does not start with a purchase. It starts with a free download. An engineer needed a runtime, went to a public page, accepted a click through license, and installed Oracle Java across a fleet of machines. Years passed. Nobody tracked it. Then a letter arrives, and Oracle treats every one of those free installs as evidence that the whole company should be paying the per employee Universal Subscription. The free download is not a defense in Oracle's framing. It is the opening of the claim.
This article is part of the Java Audit Survival Guide, the buyer side pillar on defending an Oracle Java audit. If your estate is built on free downloads, the points below are where the defense lives.
Why free does not mean licensed
Free and licensed are two different things, and Oracle relies on buyers blurring them. Before April 2019, Java SE updates were effectively free for most commercial use, so a download and an install carried no running cost. April 2019 ended free public updates for Java SE 8, and the later move in January 2023 to the per employee Universal Subscription changed the commercial model entirely. A binary that was genuinely free to run in 2018 may sit under a paid update regime today if it was patched after the cutoff. The audit question is never simply did you download it. It is which version, patched when, and under what license terms at that moment.
Where the real exposure sits
For a company built on free downloads, exposure concentrates in a few places, and a defense isolates them rather than conceding the whole estate:
- Installs that received a paid update after the free update cutoff for that version, since the update, not the download, is what carries the charge.
- Oracle branded distributions specifically, as opposed to a free OpenJDK distribution that happens to also be called Java in casual conversation.
- Machines that are still live versus machines long since retired or reimaged, where dated removal records change the picture.
- The counted population Oracle wants to apply the metric to, which is a separate fight from how many binaries exist.
The trap is letting Oracle convert a handful of patched installs into a per employee charge across every full time and part time employee, every contractor, and every temporary worker, regardless of who ever touched Java. That leap is the single largest driver of an inflated claim, and it is contestable. The mechanics of who Oracle tries to count are covered in disputing contractor inclusion in a Java audit.
The distribution question that changes everything
Not all Java is Oracle Java. A free OpenJDK distribution from another provider carries no Oracle subscription obligation, yet in an audit those binaries are frequently swept into the claim because nobody separated them. Telling Oracle branded Java from a free distribution across thousands of machines is precise technical work, and it routinely removes a large share of the apparent footprint. A claim that assumed every Java install was Oracle Java collapses once the free distributions are carved out and proven.
| What was downloaded | Oracle's opening assumption | Defended position |
|---|---|---|
| Free OpenJDK distribution | Counted as chargeable Oracle Java | Identified and excluded entirely |
| Oracle Java, never patched after cutoff | Counted as a paid subscription trigger | Examined for whether any paid update applied |
| Oracle Java on retired machines | Counted across the full lookback | Dated removal records limit the period |
| Oracle Java on a handful of live hosts | Used to price the whole employee base | Isolated to the workloads that truly need it |
Indicative worked example. A mid sized services firm believed it faced a per employee charge across its entire workforce because Oracle Java had been freely downloaded onto most desktops years earlier. A binary level sweep showed most installs were a free OpenJDK distribution, a portion of the Oracle binaries had never been patched after the relevant cutoff, and the genuinely chargeable workloads sat on a small server group. The defensible base was a fraction of the opening number. Figures are indicative.
What to do the moment a letter lands
The instinct after a free download history is to run Oracle's discovery script and hand over whatever it finds. That is the costliest possible move, because the raw output cannot tell Oracle Java from a free distribution and cannot date anything. Build your own evidence first. Sweep the estate, separate Oracle branded Java from free distributions, date installs and removals, and isolate the workloads that actually require a paid subscription. The disciplined sequence for those opening days is laid out in the first 48 hours of a Java audit.
The bottom line
A free download is the beginning of an audit story, not the end of a defense. The charge does not attach to the act of downloading. It attaches to Oracle branded binaries that took a paid update, on live machines, for the population Oracle is entitled to count. Separate the free distributions, date the history, isolate the genuine need, and the claim shrinks to what is actually owed rather than what Oracle hopes to apply across your whole workforce.
Next step. Book a Strategy Call and we will help you separate free downloads from chargeable Oracle Java and build the evidence before you respond. Submit the form and ask to Book a Strategy Call. We work on a Fixed Fee from $18,000 or a Gainshare share of verified savings or avoided exposure, with zero retainer and no risk to you.