When a vendor ships its product with Oracle Java inside, the question of who licenses that runtime is a commercial one with real money attached, and the default answer Oracle prefers is that you do. This is a buyer side guide to resolving the bundled Java problem, vendor by vendor and clause by clause, before a 2026 audit resolves it in Oracle's favor.
Vendor software that ships with Oracle Java inside creates a commercial question, not just a technical one: does the vendor's license cover the runtime, or does the obligation fall to you. Resolve it per product, in writing, before an audit assumes the answer is you and prices it across your whole workforce.
A large share of enterprise software ships with its own Java runtime bundled inside, and a meaningful portion of that is commercial Oracle Java. The technical fact, that Oracle Java is present, is easy to establish once you look. The hard part is commercial: when a vendor product contains Oracle Java, who is responsible for licensing it. The answer is not automatic, and it is not always in your favor, but it is also not always against you. It depends on the arrangement between the application vendor and Oracle and on the terms of your agreement with that vendor. Treating this as a settled question in either direction is the mistake, because conceding an obligation a vendor actually covers wastes money, and ignoring one that genuinely falls to you creates audit exposure.
The reason this is worth real effort is the leverage a single bundled runtime carries under the model Oracle introduced in January 2023. The Universal Subscription counts every full time and part time employee, every contractor, and every temporary worker, regardless of who uses the product, so one unresolved bundled runtime that Oracle attributes to you can be framed as a reason to license your entire counted population. Bundled Java is small in footprint and large in consequence.
Bundled runtimes are attractive to an auditor for two reasons at once. First, organizations rarely track them, because nobody deliberately installed them, so a bundled finding often catches the customer by surprise and demonstrates that their own inventory was incomplete, which undermines confidence in every other number they present. Second, the default assumption Oracle prefers is that the customer carries the license for any Oracle Java running in their environment, including the bundled kind, unless the customer can prove otherwise. The combination lets a single overlooked runtime do double duty: it suggests the estate is bigger than claimed and it adds a fresh obligation. The defense is to have resolved the question first, so the surprise and the assumption both fall away.
For every vendor product that ships Oracle Java, get the answer to one question in writing: does your license for this product cover the embedded Oracle Java, and on what terms. A vendor statement that it does, or that the product runs on a free distribution, is evidence you can hold against an audit finding.
Every bundled Oracle Java runtime resolves into one of three outcomes, and knowing which you are in changes what you do. The vendor may license the embedded runtime as part of its product, in which case your use is covered and your job is to document the proof and retain it. The obligation may pass to you, in which case you size that requirement precisely and contain it rather than letting it sit unmanaged. Or the bundled runtime may turn out to be a free distribution despite first appearances, in which case there is no Oracle obligation at all and you simply record it. The danger lies entirely in not knowing which outcome applies, because an unresolved runtime defaults, in Oracle's framing, to the most expensive interpretation.
| Outcome | Who carries the license | Your action |
|---|---|---|
| Vendor covers the runtime | The application vendor | Get it in writing, retain proof |
| Obligation passes to you | You | Size, contain, or migrate |
| Runtime is a free distribution | No Oracle obligation | Record and move on |
When a bundled runtime turns out to be your obligation, the vendor that shipped it is part of your defense, not a bystander. Ask each vendor that bundles Oracle Java a direct set of questions and get the answers in writing. Does your license for this product include the embedded Oracle Java, and if so on what terms and for what use. If it does not, can the product run on a free OpenJDK distribution instead, and is that configuration supported. Many products run perfectly well on a free runtime, and a supported switch removes the obligation entirely. A written vendor statement, either that the license covers the runtime or that a free distribution is supported, is exactly the kind of evidence that turns a contested audit finding into a closed question. The bundled layer is often the one where the vendor, not Oracle, holds the key.
Consider an anonymized healthcare organization that swept its application estate for bundled Java ahead of any audit. It found commercial Oracle Java inside several products. On inspection, two were covered by the vendors' own licensing, which the organization documented and set aside. One product shipped Oracle Java for which the obligation genuinely fell to the customer, and the vendor confirmed in writing that the product also supported a free distribution, so the organization switched and removed the obligation. The remaining bundled runtimes proved to be free builds. Without the sweep, the covered runtimes would have been conceded needlessly and the one real obligation would have surfaced first in an audit. The figures are indicative, but the order of operations turned a hidden risk into a resolved record.
The most durable defense is to catch bundled Java at the point of purchase rather than years later in an audit. When a new product is evaluated, ask before signing whether it ships a Java runtime, which distribution, and who carries the licensing responsibility, and record the answer. A product that bundles Oracle Java and passes the obligation to the customer carries a hidden cost that belongs in the buying decision, especially because that cost can be framed against your entire counted population under the per employee model. Making this a standing question in procurement means each bundled runtime enters your estate already attributed and resolved, closing the most common path by which unmanaged Oracle Java arrives in the first place. With the 2026 audits applying a three year lookback, a clean, dated record of who covers what is far stronger than a scramble after the letter lands.
Bundled Oracle Java in vendor software is a commercial question with real money attached, and the default answer Oracle prefers is that you owe it. Resolve each runtime per product, get the vendor's position in writing, migrate to a free distribution where the product supports it, and build the check into procurement. To find the embedded runtimes in the first place, read discovering Java inside third party applications, and to record the resolved position so it holds, see building a Java inventory that holds up. For the full buyer side method, read our Oracle Java licensing guide for 2026.
Book a Strategy Call and we will help you resolve the bundled Java in your vendor software, pin down who carries the license in writing, and remove the exposure you do not actually owe.
Book a Strategy CallFixed Fee from $18,000 or Gainshare, a share of verified savings or avoided exposure with zero retainer and no risk to you. We sit between you and Oracle and we never take vendor money.
Get a QuoteWeekly intelligence on Oracle Java licensing moves and the buyer side defenses that work.