Enterprise Source Access

Mezite is closed-source software. We distribute signed binaries and container images only — the source code is not published publicly and is not accepted as external contributions.

For Enterprise customers who need source-level assurance — security teams, regulators, compliance auditors, and pentesters — we offer a Source-Available License (SAL) granting controlled access to the codebase under NDA.

Why closed source by default

Shipping closed binaries is a deliberate commercial and operational choice. It keeps the build pipeline, signing keys, and release artifacts under our direct control, simplifies our supply-chain story, and reduces the surface available to opportunistic source scanning. Mezite is a security-critical product; we treat its distribution like the certificate authority it implements.

We do not claim that closed source is security. Real security assurance comes from independent review, signed reproducible builds, and controlled disclosure — all of which our Enterprise tier provides.

What Enterprise Source Access includes

  • Read access to the full source tree (mezhub, mezd, msh, mezctl, identity, proto, server libraries, migrations).
  • Reproducible build instructions so you can verify shipped binaries.
  • Rights to run static analysis (SAST), software composition analysis (SCA), dynamic analysis (DAST), and authorized penetration testing against your own deployment.
  • Access to internal architecture documents, threat models, and security review notes.
  • Pre-disclosure of CVEs and security advisories ahead of public release.
  • A direct line to a named security engineer for review questions and finding triage.

What it does not include

  • The right to redistribute the source, in whole or in part.
  • The right to publish source excerpts, screenshots, or derivatives publicly.
  • The right to build a competing product or fork from the codebase.
  • Modification rights for production deployment — supported builds remain ours.
  • Any open-source license grant (MIT, Apache, AGPL, BSL, or otherwise).

Findings from your audits and pentests are yours; we ask that you disclose security-relevant findings to us privately under standard responsible-disclosure terms.

How access is delivered

  • A read-only Git mirror, scoped to named users on your security team.
  • Source archives (.tar.gz, signed) tied to specific release tags, for offline audit environments and air-gapped scanners.
  • Build provenance metadata (SLSA attestations, cosign signatures, SBOM) for every release.

Eligibility

Source-available access is included with the Enterprise tier. It is available to organizations on an active Enterprise subscription, after execution of a mutual NDA and the Mezite Source-Available License agreement. Evaluation access can be arranged for serious procurement reviews under a short-form NDA.

How to request access

Email sales@mezite.com with:

  • Your organization and the deployment scale you are evaluating.
  • The reason for source access (audit, pentest, SAST, compliance, etc.).
  • The named individuals on your security team who should receive access.

We typically turn requests around in 5 business days. Existing Enterprise customers can request access through their account contact.

Reporting vulnerabilities

If your audit or scanner finds a security issue, please report it privately to security@mezite.com. See the Security page for full disclosure terms.