Locations

Resources

Careers

Contact

Contact us

Uncategorized

Third-Party Support for Oracle Products: Legal Analysis for CIOs

Third-Party Support for Oracle Products: Legal Analysis for CIOs

Executive Summary

Third-party support for Oracle software and hardware can offer significant cost savings and flexibility for CIOs, but it raises important legal and strategic considerations. Is it legal? In general, yes – courts have affirmed that Oracle customers can hire independent support providers as long as they stay within the bounds of their license agreements​. Major lawsuits (notably Oracle v. Rimini Street and Oracle v. SAP/TomorrowNow) have clarified what practices are lawful versus infringing. Oracle’s contracts and aggressive enforcement posture add complexity, meaning CIOs must proceed with caution and due diligence.

Key takeaways for CIOs include:

  • Legal Precedent: Recent court decisions reinforce the legitimacy of Third-party software support under current law. However, certain methods (like wholesale copying of Oracle software for use across clients) are illegal.
  • Oracle’s Stance: Oracle fiercely protects its intellectual property and support revenues. It has litigated against third-party providers and uses license terms and audits to discourage customers from leaving Oracle support​.
  • Pros vs. Cons: Third-party support can cut annual maintenance fees by 50% or more and extend the life of stable systems, but CIOs must weigh risks like compliance pitfalls, loss of official updates, and potential vendor pushback.
  • Comparisons: Other vendors like SAP and IBM also prefer customers on their support, yet only Oracle has pursued legal battles so vigorously. SAP and IBM customers do use third-party support, and those vendors have taken different approaches to the practice.
  • Recommendations: CIOs considering third-party support should involve legal counsel to review contracts, prepare for possible audits, and thoroughly vet third-party providers’ practices. With proper precautions, many organizations have successfully leveraged third-party support to optimize costs without violating agreements.

Below, we provide a structured analysis covering the legal foundation, case history, Oracle’s policies, third-party support models, pros and cons, vendor comparisons, and actionable recommendations.

1. Legal Foundation and Current Precedent for Third-Party Support

From a legal standpoint, nothing inherently prohibits a software licensee from hiring an outside firm to support licensed products. U.S. courts have explicitly confirmed that third-party software support is legal if the customer and provider adhere to the license terms. As one recent federal ruling stated, “the pertinent [Oracle] software licenses do not prohibit Oracle’s customers from hiring a third party… to perform updates or fixes to the same extent the Oracle customer could under the license.” If a customer is authorized to run and maintain Oracle software, they can engage a third party to assist with those maintenance activities, just as an in-house employee could.

The legal foundation rests on intellectual property and contract law. Oracle (and other vendors) license their software to customers, granting usage rights typically in perpetuity or for a term. Customers who own valid licenses have the right to use and maintain the software, and this right can extend to utilizing external help. Courts have upheld that “customers have the right to hire a third party to support software they are licensed to use”​. In other words, independent support is lawful as long as no additional copies or uses of the software occur beyond what the license allows.

It’s important to distinguish legal from what might breach the contract. While hiring a third-party support provider is not illegal per se, Oracle’s contracts impose certain restrictions. Customers must remain compliant – for example, by not using Oracle’s copyrighted patches or support materials beyond their entitlement and not violating any license metrics. The concept is analogous to hiring an independent mechanic for a car you own: it’s legal to do so, but you can’t give the mechanic an illegal copy of the car’s onboard software. Likewise, third-party support providers must work within the customer’s licensed environment and rights. Courts on both sides of the Atlantic have accepted this principle: “an independent third party can legally provide software maintenance services”, and even Oracle’s lawsuits have hinged not on the existence of third-party support, but on how it was delivered​.

Current precedents in the industry reinforce the legality of third-party support when done correctly. After years of litigation (discussed below), the cloud of uncertainty has largely lifted​. Thousands of organizations, including government agencies and Fortune 500 companies, now use third-party support for Oracle and SAP products​. Analyst research indicates this practice has moved into the mainstream, with Gartner projecting that the third-party software support market will triple from $351 million in 2019 to over $1 billion by 2023​. In summary, the law and recent judgments provide a green light for CIOs to consider independent support options, with the critical caveat that all license obligations and IP rights must be respected in the process​.

2. Major Court Cases Shaping Third-Party Support (Oracle vs. Rimini Street, SAP, etc.)

Two high-profile legal battles – Oracle v. Rimini Street and Oracle v. SAP (TomorrowNow) – have defined the boundaries of third-party support and serve as cautionary tales.

  • Oracle vs. Rimini Street: Rimini Street is a third-party support provider founded in 2005 that services Oracle and SAP products. Oracle sued Rimini in 2010, alleging that Rimini’s support practices infringed Oracle’s copyrights and violated computer access laws. The crux of Oracle’s claim was that Rimini overstepped legal bounds by copying Oracle software and support materials in ways customers themselves could not. For example, Rimini was found to have used one client’s Oracle login credentials to download patches and updates, then reused those materials to support other customers – effectively “cloning” Oracle’s software environments on Rimini’s systems. In 2015, a jury trial resulted in a mixed outcome: Oracle prevailed on a limited copyright claim (with the jury labeling Rimini’s infringement as “innocent” rather than willful) and lost many other claims​. Oracle was awarded around $50 million in damages plus attorneys’ fees, and the court issued an injunction barring Rimini from repeating the infringing practices​. Rimini Street appealed multiple times. A key point was clarified throughout the appeals: Third-party support itself was not deemed illegal. The courts acknowledged that aside from the specific acts of copyright infringement (unauthorized copying of Oracle code and support documents), Rimini’s business model – providing independent support to Oracle licensees – was a lawful concept​. The Ninth Circuit vacated an earlier broad injunction, ensuring it targeted only unlawful methods, not the provision of support services generally​. Rimini announced it had reformed its processes as of 2014 to comply with the rulings, shifting to “Process 2.0,” where all Oracle software fixes are developed within the scope of each customer’s licensed environment. The legal saga (sometimes dubbed “Rimini I” and “Rimini II” for separate sets of claims) continued for over a decade. In 2018, the U.S. Supreme Court even weighed in on a peripheral issue (recoverable legal costs), handing Rimini a unanimous victory that forced Oracle to refund $12.8 million​. Most recently, in 2023, a federal judge ruled that Rimini still violated Oracle’s copyrights in certain support processes (particularly around PeopleSoft updates) and imposed another permanent injunction limiting how Rimini can service Oracle products​. Oracle heralded this as a win, with the court finding Rimini had continued some improper practices and ordering corrective actions. However, importantly for customers, the 2023 decision reaffirmed that Oracle’s customers are not barred from hiring third-party support – it targeted how Rimini delivered updates, not the idea of third-party support itself. Rimini Street emphasizes that it is still free to support Oracle products (and it does), operating under the court’s guidelines. The net result of Oracle v. Rimini is a clearer delineation: independent support is lawful, but copying Oracle’s intellectual property beyond what a licensee can do is not.
  • Oracle vs. SAP (TomorrowNow): In a related saga, Oracle in 2007 sued SAP over the actions of SAP’s subsidiary, TomorrowNow. TomorrowNow was a third-party support firm that SAP acquired to offer lower-cost support for Oracle-acquired products (like PeopleSoft and JD Edwards). Oracle accused TomorrowNow of systematically downloading Oracle’s support materials and software using Oracle customer credentials on a massive scale​. SAP admitted wrongdoing – TomorrowNow staff had pulled down thousands of Oracle’s patches and documentation that some customers weren’t entitled to – and SAP shut down that subsidiary. The case, decided in 2010–2011, resulted in a record jury verdict of $1.3 billion for Oracle, later reduced on appeal to a $356.7 million settlement accepted by Oracle​. SAP also faced a criminal investigation, ultimately paying $20 million in fines to settle charges related to the illegal downloads​. The TomorrowNow case underscored that even a software vendor (SAP) could not take liberties with a competitor’s intellectual property, even if acting on behalf of mutual customers. SAP’s defense – that customers authorized it to access Oracle’s support site – failed because TomorrowNow accessed materials beyond what those customers had licensed​.

These cases establish important precedents. First, they illustrate that Oracle will aggressively pursue infringement of its intellectual property. Both Rimini Street and SAP learned that unauthorized copying of Oracle’s code or support content leads to liability, even if done under the banner of “support.” Second, they confirm that the concept of third-party support was not outlawed. In each instance, the illegal behavior was the misappropriation of Oracle’s software (copyright infringement and contract breach), not the act of a customer hiring an outside support provider. Courts have consistently drawn this line. As an IT law expert summarized, the Oracle v. Rimini litigation demonstrated that independent support is permissible. However, hosting Oracle software on one’s servers and reusing Oracle’s support materials for multiple clients was beyond the license and thus unlawful​.

For CIOs, the takeaway from these legal battles is twofold:

  1. Using third-party support is legally viable, as long as you and the provider stay in your lane (within the license rights).
  2. Providers must use scrupulous methods. The onus is on the third-party company to avoid “clone” environments or patch-sharing that violates vendor IP. Reputable providers today are mindful of these boundaries due to the costly lessons from Rimini and TomorrowNow.

Finally, aside from these marquee cases, it’s worth noting that no court has prohibited a customer from choosing third-party support. Oracle’s attempts to set a broad precedent against third-party support have largely been thwarted; the litigation outcomes stopped short of giving Oracle any contractual right to prevent customers from switching support vendors. Therefore, current precedent supports customer choice, with the understanding that Oracle (and others) can still sue if a provider or customer violates copyright or license agreements in the course of that support.

3. Oracle’s Licensing and Audit Stance

While the law allows third-party support, Oracle uses its licensing policies and audit practices to strongly discourage customers from leaving Oracle’s support program. CIOs must carefully navigate these contractual minefields.

License Agreements: Oracle’s standard license agreements do not outright forbid third-party support but contain provisions that can complicate a switch. For example, Oracle offers some customers Unlimited License Agreements (ULAs) – enterprise-wide deals for unlimited use of certain Oracle software for a period (often 3 years) with a one-time fee. Crucially, ULAs typically require the customer to stay on Oracle support during the term as part of the contract. If you are in a ULA, you cannot drop Oracle support in favor of a third party until the ULA period ends (or unless you negotiate an exit). In contrast, if you have purchased perpetual licenses (non-expiring), you “own” the software rights and are free to choose support options. Perpetual license holders can theoretically cancel Oracle support and hire a third party at any time, since they maintain the right to use the software indefinitely.

Oracle also has policies like the “Matching Service Levels” clause that sow confusion. This policy stipulates that if a customer has a set of licenses in the same “license set” or product family, they must maintain the same support level​. In practice, Oracle interprets this to mean a customer cannot drop support on one Oracle product while keeping support on a related product – Oracle’s sales reps often warn that doing so would terminate support on all the related licenses​. For instance, if you have Oracle Database and associated options, Oracle may insist you keep support for all or none of them. This is a pressure tactic: it forces customers into an “all or nothing” decision, making it harder to trim some support costs or move to a third-party provider​. It’s important to note that the matching service level policy applies to products in the same family and is governed by definitions in Oracle’s contract; savvy customers sometimes reorganize or reallocate licenses to avoid falling into a single license set. Still, this is a prime example of Oracle’s contractual levers to deter third-party support.

Access to Updates: Oracle’s support terms specify that when customers stop paying maintenance, they lose access to Oracle’s support portals, updates, and new patches. The license grants the right to use your software version, but not the right to updates or fixes once support is terminated. Therefore, Oracle positions it as “if you leave us, you’re on your own” – a customer going to third-party support must rely on the third party or self-support for any bug fixes, regulatory updates, or security patches. Oracle will not provide those (and contractually, customers can’t legally download new patches after their support contract lapses)​. This is legal leverage, not a ban on third-party support. Still, it means CIOs must plan to archive any needed Oracle updates before leaving (e.g., download the latest patches while still an Oracle customer in good standing).

Audit Threats: Oracle is notorious for its software license audits. While Oracle doesn’t explicitly audit because you moved to third-party support, many observers note that customers who drop Oracle support should be prepared for an audit. Oracle audits ensure you aren’t using more licenses or features than you purchased, and an audit after moving off Oracle support could scrutinize whether you improperly applied any Oracle patches or are using software beyond the terms. For example, if a customer on third-party support somehow obtained an Oracle patch they weren’t entitled to, that could surface in an audit. Oracle’s audit teams look for compliance gaps (unlicensed use, etc.), but compliance can get more complex once you’re off Oracle’s support. CIOs should review internal licenses before switching and remain vigilant about usage tracking. Staying compliant is essential – third-party support is only legal if the customer continues to honor the license terms (number of users, processors, locations, etc.)​. Any violation unrelated to support can still trigger penalties or a requirement to purchase additional licenses.

In summary, Oracle’s stance can be described as strategically obstructive toward third-party support:

  • Oracle will not concede any contract terms in writing that make third-party support easy. To lock customers in, it leverages ULAs, matching support level policies, and strict rules about patch access​.
  • Oracle’s leadership has consistently maintained that only Oracle can fully support its products and often spreads FUD (fear, uncertainty, doubt) about third-party providers – for instance, implying that third-party support could leave customers at legal risk (when in fact it’s fine if done correctly) or vulnerable to security issues without Oracle’s updates. Oracle’s legal actions and press releases label third-party providers who crossed lines as “bad actors”​, which, while true in those cases, can intimidate regular customers from even considering alternatives.
  • Audits and penalties remain a latent threat. Even if third-party support is legal, Oracle can make life difficult through aggressive compliance enforcement. This is why expert advice is to fully document your compliance and archive any Oracle-provided materials before leaving Oracle support​. By doing so, you mitigate the leverage Oracle might try to exert post-switch.

For a CIO, understanding Oracle’s stance means recognizing that moving to third-party support requires careful contract navigation. Always check your agreements for clauses about support termination, notice periods, reinstatement fees (Oracle typically charges a hefty fee plus back support if you ever want to return to Oracle’s support later), and any product-specific quirks. In many cases, the only thing preventing you from switching is cost/benefit calculus and fear of the unknown, but Oracle counts on that fear. Knowledge of your rights and obligations is the antidote.

4. How Third-Party Support Models Work

Third-party support providers for Oracle (and other enterprise software) aim to replicate and often improve upon the services the vendor’s support would provide, at a lower cost and with more flexibility. Understanding their model helps clarify the legal use case and value proposition:

  • Scope of Services: Independent support vendors like Rimini Street, Spinnaker Support, and others cover a broad range of Oracle products – from databases and middleware to enterprise applications (E-Business Suite, PeopleSoft, JD Edwards, Siebel) and even Oracle’s hardware and operating systems in some cases. They employ engineers (often ex-Oracle or ex-SAP experts) intimately familiar with the technology stack. Services typically include troubleshooting technical issues, performing break/fix support, providing operational advice, and creating bug patches or workarounds. For ERP systems, third parties also deliver tax, legal, and regulatory updates (for example, changes in tax codes or HR regulations that Oracle would normally provide via patches to EBS or PeopleSoft).
  • Support for Older Versions: A hallmark of third-party support is supporting legacy versions indefinitely. Oracle’s support policy usually has a timeline – e.g., Premier Support for 5 years, Extended Support for a few more, then Sustaining Support with no new fixes. Third-party providers will support any version the customer is running, no matter how old, and continue to develop necessary fixes or compliance updates for that version​. This is a big draw for organizations running stable systems on older releases who do not want to upgrade just to stay supported.
  • Onsite vs. Offsite and License Boundaries: Modern third-party support models have been refined to stay within legal boundaries. Typically, the third-party provider will require that each customer maintain their licensed instances of Oracle software, including development and test environments if needed, rather than the provider making copies on its servers. In the early days, Rimini created a library of Oracle software environments on its premises to deliver fixes, which the court found infringing. Now, the model is usually that the provider either works directly on the customer’s systems (through VPN or remote access) or maintains a separate environment for the customer that is isolated and based on that customer’s license. In other words, any copy of Oracle software used for support is a copy that the customer is authorized to have. Providers also develop their code (scripts, configurations, or binary patches) to solve issues rather than inserting Oracle’s code from patches not licensed to the client. Courts have even confirmed that third-party providers can document their “know-how” and re-use their knowledge across clients, as long as they aren’t distributing Oracle’s protected code in the process​.
  • Patches and Updates: How can a third party issue a patch without access to Oracle’s source code? In practice, they reverse-engineer problems and create their fixes. For example, if a database has a memory leak bug, a skilled support engineer can often identify a workaround or develop a script to mitigate the issue. For application software like ERP, third-party vendors often write and deliver code adjustments (in database triggers, custom code, or configuration changes) to achieve the same end as an official Oracle patch. Another common service is retrofitting regulatory changes – e.g., updating tax calculation formulas in Oracle EBS payroll – by directly adjusting configurations or code, which a customer could do (and thus a third party can do on their behalf). These providers do not have Oracle’s proprietary source code, but they do have tools and expertise to produce solutions. While they may leverage publicly available documentation or even customer-furnished Oracle updates (from before the support contract lapsed), they must be careful not to misuse Oracle’s intellectual property. Essentially, they act as an extension of your IT team: anything your team could legally do (like writing a custom fix or querying Oracle’s data dictionaries), they can do for you, but they won’t (or shouldn’t) do anything you couldn’t legally do yourself.
  • Service Model: Third-party support often touts a more personalized, high-touch model than vendor support. Instead of logging a ticket and getting a junior support rep with scripted responses, customers get direct access to senior engineers who handle their issues end-to-end​. Many CIOs report faster response and resolution times, and proactive support such as performance tuning and security monitoring as part of the package. Also, unlike Oracle, which generally will not assist with customizations (Oracle support will ask you to reproduce issues on vanilla configurations), third-party providers will support your custom code and integrations as part of their remit. This comprehensive approach can reduce downtime and frustration for IT staff.
  • Hardware and Systems Support: Besides software, Oracle’s portfolio includes hardware (legacy Sun/Oracle servers, Exadata machines, storage, etc.). Third-party maintenance providers service this equipment by supplying replacement parts, on-site repair, and firmware support after Oracle’s warranties or support contracts lapse. Companies like MGlobal and others explicitly offer third-party Oracle/Sun hardware maintenance. Legally, maintaining hardware is generally straightforward – if you own the hardware, you can choose who services it. The only limitation is firmware or software on that hardware: Oracle might tie firmware updates to having an active support contract. Third-party hardware maintainers often source spare parts from secondary markets and have engineers skilled in those systems. Many data centers use third-party maintenance to prolong the life of Oracle hardware at a fraction of Oracle’s support cost. This runs parallel to third-party software support and is similarly legal as long as no protected software is unlawfully copied. Oracle has also fought some third-party hardware support firms in court, though those disputes also come down to intellectual property (e.g., use of copyrighted firmware). The fundamental principle remains: customers may service their equipment and software or hire others to do so, but they can’t give those others rights they don’t have.
  • Contracts and Costs: Third-party support vendors usually operate on annual contracts like Oracle, but typically with lower fees (often 50% of Oracle’s price or more in savings)​. Some offer multi-year discounts or guaranteed pricing. It’s common that when a customer switches, they lock in support with the third party for a certain term and pay a subscription fee. Importantly, Oracle’s support works on an annual renewal model; if you stop paying, you lose support, and re-enrollment can incur back charges. Third-party contracts are generally more flexible, but CIOs should check if the third party has any long-term lock-in or penalties for leaving them, and ensure service level agreements (SLAs) are well-defined.

In essence, third-party support models are about stepping into the shoes of the vendor’s support organization. They strive to provide equivalent or better support without access to the vendor’s proprietary patch delivery system. This is achieved with deep expertise, custom solutions, and a focus on the customer’s environment. The model has matured significantly since the early 2010s, precisely due to the legal outcomes: providers know what not to do (no mass copy-paste of Oracle code) and focus on adding value in allowed ways. For a CIO, understanding the model means recognizing that a switch to third-party support is not a downgrade in capability – it’s a trade-off of where the fixes come from and how they are delivered. Your users still call a help desk for issues; it happens to be a different company on the other end, often with senior talent and more freedom to address custom needs.

5. Pros and Cons for CIOs: Weighing the Benefits and Risks

Switching to third-party support is a strategic decision. CIOs should evaluate a balance of cost, risk, flexibility, and alignment with IT strategy. Below is a breakdown of the major pros and cons:

Key Benefits (Pros):

  • Dramatic Cost Savings: The most touted benefit is saving money. Oracle’s annual support fees are roughly 22% of the software license purchase price, meaning after about 5 years, a customer has again paid the equivalent of the license cost in support. Third-party providers typically charge much less – often 50% of Oracle’s fee, or even greater savings in some cases. These savings can be substantial in large environments. For example, companies have reported cutting maintenance bills by half or more, freeing up millions of dollars in IT budgets. This money can be redirected to innovation or other priorities. Additionally, Oracle tends to increase support costs annually (inflationary uplifts of 3-4% are common), whereas third-party contracts often have flat or more modest increases, improving cost predictability​.
  • Extended Product Life and Avoiding Forced Upgrades: Third-party support lets you run older software versions indefinitely with full support. Oracle’s policy of ending full support after several years pushes customers to upgrade or face reduced support. Many CIOs find that older, stable systems (an ERP or database that “just works”) don’t need frequent upgrades – the business isn’t demanding new features, and upgrading poses cost and risk. With third-party support, you can safely stay on a known-good version beyond Oracle’s support window, because the provider will continue to fix issues and even create patches for new security vulnerabilities on that old version. This avoids expensive, disruption-prone upgrades driven by business need and Oracle’s timelines. The business, not the vendor, decides when to upgrade. Some organizations use this freedom to skip several Oracle versions and only upgrade when it’s truly beneficial, or to buy time while evaluating migration to a different platform.
  • Better Support Quality and Responsiveness: Many customers experience more personalized and responsive service from third-party support compared to Oracle’s standard support structure. Like other big vendors, Oracle often uses tiered support where front-line staff handle calls by script, and complex issues escalate slowly. In contrast, third-party providers assign seasoned engineers to clients, often available 24/7, who become intimately familiar with the client’s environment. This can lead to faster issue resolution and less finger-pointing. Furthermore, third-party support will address issues Oracle might decline, notably supporting customizations and integrations. Oracle’s policy is that they don’t support code you’ve added or modified; third-party vendors include that in scope​, which is a huge plus if your Oracle systems have a lot of in-house custom code (as many do). The result can be higher satisfaction among IT staff and end-users when problems are solved more quickly and holistically.
  • Flexibility and Tailored Services: Outside support providers are hungry to differentiate, often offering flexible terms and extras. They might bundle advisory services, performance tuning, or even minor enhancements as part of support. The SLA can be tailored – e.g., if you need a 15-minute critical response time for a particular system, you can negotiate that, whereas Oracle’s standard SLA might not meet it. Also, providers like Rimini Street have been known to proactively monitor client systems and suggest optimizations or patch certain things preemptively​. Oracle’s generic support rarely provides this kind of proactive maintenance. Flexibility also extends to contracts – some third-party vendors allow canceling certain components or adjusting the scope yearly. In contrast, Oracle’s policies, like matching support levels, mean you often pay for some support you don’t fully use​. In short, independent support can be more customer-centric.
  • Focus on Stable Operations: Organizations can focus on stability by decoupling from the vendor’s upgrade treadmill. For many CIOs, not having to constantly plan for Oracle-driven upgrades means less disruption, fewer regression issues, and an IT environment that only changes when the business needs it to change. Third-party support reinforces a “run what we have reliably” strategy. This can align well if the Oracle systems are critical, but not where the company wants to invest more (for example, if you plan to eventually replace an older Oracle ERP with a SaaS solution, third-party support can keep it running at low cost).

Key Drawbacks and Risks (Cons):

  • No New Features or Oracle Patches: When you leave Oracle’s support, you forgo all new updates from Oracle. This means if Oracle releases a new bug fix or a new version, you won’t get it (unless you rejoin Oracle support, typically at significant cost). Third-party providers will cover known issues and can tackle new problems that arise, but they won’t have access to Oracle’s proprietary patches developed after your cutoff. Sometimes, there might be a critical patch Oracle releases (say for a major security vulnerability) that the third party must re-engineer, or you must live without it until they do. This could introduce delays in remediation. CIOs should be aware that staying off Oracle support often means staying on your current software version long-term – you can’t upgrade to a new Oracle release because that would require an Oracle support contract to get the media and license (unless you already had rights to it). So, you are trading innovation for stability. If your business later decides it needs a new Oracle feature or module, you might have to return to Oracle support or find a workaround. Third-party support is ideal for mature systems where new features are not a priority​.
  • Security Concerns: One common concern is whether being off Oracle support exposes you to security. Oracle regularly issues security patches for its products. Third-party providers claim to create their security fixes or help customers mitigate risks via configuration and monitoring. To date, there haven’t been publicized incidents of a breach attributable to a customer using third-party support and missing an Oracle patch. However, the risk is something to manage. CIOs may need to implement extra security measures – for example, ensuring databases are behind robust network defenses or using third-party security tools – to compensate for not getting Oracle’s official updates​. Some organizations keep a hybrid strategy: remain on Oracle support for database or security-sensitive components while using third-party support for less-exposed application layers. This can complicate the support model (and Oracle’s matching policy might interfere), but it is a way to balance security vs. cost. In any case, security should be explicitly discussed with potential support providers: what is their process for vulnerability alerts? Do they develop patches or just provide guidance? What’s their track record? Reputable firms invest in this area and may have security certifications (like ISO 27001).
  • Compliance and Legal Risks: While hiring a third-party support provider is legal, there is a risk of indirect legal entanglement. The Rimini Street case shows that if a provider oversteps, the vendor (Oracle) will go after the provider, not necessarily the customer. Oracle did not sue customers; Oracle targeted the provider. However, a CIO wouldn’t want to be caught in the fallout of an injunction that disrupts their support. If your provider is barred from delivering certain updates because of a court order, your operations could be affected. To mitigate this, CIOs should contractually protect themselves (ensure the provider will still support them or has workarounds even if their methods must change) and choose a provider with a strong compliance ethos. Another compliance aspect is license compliance: if your switch is not managed well, you might accidentally use Oracle software in a way that breaches the license (for instance, applying a patch obtained illegally). The customer must ensure strict adherence to license terms at all times​. Providers can guide this, but the ultimate responsibility lies with the customer in avoiding any unlicensed use of Oracle IP. In short, the legal risk is low if everyone plays by the rules, but it requires discipline and oversight.
  • Vendor Relationship and Support Re-entry: CIOs often worry that leaving Oracle’s support could damage the broader relationship with Oracle. If you are a big Oracle customer (perhaps using Oracle Cloud or other Oracle products), dropping support on one component may anger account reps or reduce your influence with Oracle. Oracle sales might become less willing to offer discounts on other products if they see you as cutting them out of support revenue. This is a softer aspect, but real in many enterprise vendor relationships. Additionally, if for any reason you need to go back to Oracle’s support (e.g., you want to upgrade to a new version or something critical isn’t solvable by the third party), Oracle typically charges backdated support fees plus a penalty (reinstatement fee) to let you back in. This can be expensive, effectively eroding some of the savings you realized. CIOs should consider the likelihood of needing Oracle again. Third-party support is a bridge if the system in question might be decommissioned or replaced in a few years. If there’s a chance you’ll want to re-upgrade and re-engage Oracle, factor in that switching back will have a cost. That said, many CIOs plan third-party support as a one-way move for that system – ride it into the sunset or until migration off Oracle.
  • Lack of Vendor Backing for New Projects: If your company plans to undertake a major initiative involving Oracle technology – say a re-implementation or integration with a new Oracle product – being off official support can be a hindrance. Oracle’s consultants or partner ecosystem might be needed, and they may require the product to be assisted by Oracle support. Also, Oracle will not help with issues on unsupported environments. This can be a con if your Oracle system is not truly in “maintenance mode” but is still evolving. For very static environments, it’s fine; for dynamic ones, it might constrain you.
  • Potential Provider Limitations: Third-party support firms, while expert in many areas, do not have Oracle’s internal development team at their disposal. There may be very deep issues or code defects that are hard to fix from the outside. In rare cases, a third-party provider might only be able to offer a partial solution or an operational workaround rather than a true code fix. You must accept that you can’t escalate to Oracle’s development, because you left that support. Third-party firms pride themselves on ingenious fixes and will escalate issues internally just like Oracle would, but within their resources. Checking references and success stories can give confidence that the provider can handle your environment’s needs.

In weighing pros and cons, many CIOs find the pros compelling if their situation aligns (stable system, high support costs, low appetite for upgrades). The savings and service quality often outweigh the cons of losing Oracle’s direct hand-holding. However, if a system is strategic and rapidly evolving, or if top-notch security patching is a must-have, sticking with Oracle (or using Oracle in combination with a third party for certain components) might be safer. It is not a one-size-fits-all decision. The good news is that because third-party support has matured, we now have enough case studies to see that for the right profile of system and organization, the benefits are real and the risks manageable​.

6. Vendor-by-Vendor Comparison: Oracle vs. SAP vs. IBM and Others

How does Oracle’s stance and the legal landscape for third-party support compare to other enterprise software vendors? CIOs often have a portfolio of vendors, and each may treat third-party maintenance differently. Here’s a brief comparison:

Oracle

Oracle is arguably the most aggressive and high-profile opponent of third-party support among enterprise software companies. Oracle’s support business is extremely profitable (with profit margins reportedly over 90% for support contracts​), so it has a strong incentive to protect that revenue. Oracle’s approach has been:

  • Litigation: Oracle has pursued lengthy lawsuits against third-party support providers (Rimini Street, TomorrowNow/SAP) to both stop specific unlawful practices and send a message to the market. Oracle’s goal has been to make an example of those who infringe its IP, discouraging customers from considering third-party options by raising fear. The company has successfully won injunctions and settlements in these cases​, which it publicizes as victories to reinforce the narrative that only Oracle can safely support Oracle products.
  • Contractual Barriers: As discussed, Oracle uses contracts (ULAs, support policies) to lock in support. Historically, it has not allowed partial support. If you have a bundle of Oracle products, Oracle will insist they all remain on Oracle support (or all come off) due to policies like matching service levels​. Oracle rarely, if ever, provides an official blessing to any customer to use third-party support; sales teams are trained to resist and may threaten license compliance actions (subtly or overtly) if a customer signals intent to leave Oracle support.
  • Tolerated Bounds: Despite this hard stance, Oracle does tolerate a degree of third-party involvement in practice. For example, Oracle customers often hire independent consultants (who are not Oracle employees) to help with DBA support or application management – effectively a form of “third-party support.” Oracle doesn’t object to that as long as those consultants operate under the customer’s control and access rights. Oracle doesn’t want a formalized third-party support contract replacing Oracle’s contract. Oracle executives have occasionally acknowledged that third-party support is legally permissible, but they contend that customers lose out on value and risk compliance issues. Oracle’s website or communications emphasize the dangers, rather than outright saying “it’s illegal” (since they know it isn’t illegal if done right).

In summary, Oracle’s stance is combative. It fights to constrain third-party providers in court and uses every tool to retain support customers. However, Oracle’s customers have the leverage of the court precedents – Oracle cannot cancel your license or sue you simply for choosing an independent provider. Oracle can only react if there’s actual infringement. So, Oracle’s power lies in influence and contract nuance, not in any law that forbids third-party support.

SAP

SAP, another ERP giant, has a large maintenance revenue stream as well, but its approach has been somewhat different:

  • Past Incident (TomorrowNow): The most notable event was SAP’s ownership of TomorrowNow, which was a unique scenario. SAP attempted to use third-party support to lure Oracle’s customers (since TomorrowNow supported PeopleSoft/JD Edwards after Oracle acquired those lines). That backfired legally and cost SAP dearly. Since then, SAP has steered clear of directly infringing Oracle’s IP. But what about independent providers supporting SAP products?
  • SAP Tolerance: Unlike Oracle, SAP has not engaged in high-profile lawsuits against third-party support providers for SAP software. Rimini Street and Spinnaker offer support for SAP ERP (ECC 6.0, Business Suite, S/4HANA) and SAP databases. SAP has not sued these providers for copyright infringement like Oracle did, at least as of this writing. This suggests that either SAP doesn’t see them as a major threat yet, or those providers are handling SAP support in a way that doesn’t trigger legal action. It may also reflect that SAP’s contracts and technology differ (for example, SAP may not have evidence of unauthorized copying, or the providers might be extremely careful). SAP also might be taking a less confrontational market strategy – focusing on moving customers to its next-generation products (like S/4HANA cloud) and offering enhanced maintenance options, rather than fighting third-party support in court.
  • Contracts and Policy: SAP’s license model historically involves perpetual licenses with annual support (like Oracle), but SAP also sells subscription cloud services now. SAP doesn’t have an exact equivalent to Oracle’s ULA; if you stop paying SAP maintenance on a perpetual license, you similarly lose support and updates, but you keep the right to use the software. SAP encourages customers to stay on support by bundling certain incentives (for example, access to the SAP support portal, support packages, upgrade tools, etc.), which cease when off maintenance. However, SAP’s support policies have been perceived as slightly more flexible. There isn’t an openly stated “matching service levels” policy for SAP, so some customers have dropped support on select SAP components while keeping others (though SAP sales will push back).
  • SAP’s Public Stance: SAP’s public messaging hasn’t vilified third-party support to the extent Oracle’s has. In fact, because of SAP’s misadventure, it’s somewhat awkward for SAP to claim third-party support, which is terrible – SAP used it as a competitive tactic at one point. That said, SAP prefers customers to stay on SAP maintenance, especially as it needs to fund R&D for its new products. SAP launched “SAP Enterprise Support” years ago with higher fees but more services, and more recently “SAP Preferred Success” for cloud, all aimed at delivering more value to justify staying. SAP also provides extended maintenance for older versions (at a premium) to reduce the allure of third parties.

In practice, many SAP customers have moved to third-party support for stable SAP systems (like ECC) to avoid or delay the forced migration to S/4HANA. SAP has set 2027 (and extended to 2030 for some) as the end of mainstream maintenance for ECC6. Customers who are not ready to move have considered third-party support a stopgap. SAP seems to be tacitly accepting this to a degree, as long as those customers eventually migrate to SAP’s new platform or return in some form. We have not seen SAP launch a Rimini-style lawsuit against Rimini Street for supporting SAP clients, which legally indicates a less aggressive stance. SAP may rely more on customer persuasion and future vision (S/4HANA) to keep clients on board than on legal enforcement.

The bottom line for SAP is that third-party support is available and legally similar (the same principles of license compliance apply). SAP’s contracts don’t have special clauses outright banning it (aside from needing to be on maintenance to get updates). CIOs dealing with SAP can consider third-party support with slightly less fear of a legal firestorm. However, they should still inform themselves of any SAP-specific terms (for example, some SAP agreements might have notice periods to terminate support, or cloud subscriptions that third parties can’t support since they run on SAP’s cloud).

IBM

IBM spans software and hardware, historically having a huge services arm. IBM’s approach to third-party support/maintenance has been more pragmatic:

  • IBM Software: IBM sells middleware (WebSphere, DB2, Lotus Notes/Domino, etc.) and enterprise software. Third-party support exists for IBM software (companies like Origin specialize in supporting IBM products like IBM Domino, Tivoli, etc.). Like Oracle’s, IBM software licenses typically give a perpetual right to use. IBM’s standard agreements (IBM IPLA) don’t forbid using third-party support. IBM does include terms about not transferring support contracts to others​, but that just means you can’t take an IBM support agreement and hand it off – it doesn’t prohibit dropping IBM support and hiring someone else. There have been no headline-grabbing lawsuits of IBM suing a third-party provider for copyright infringement. One reason might be that IBM’s software support isn’t as centralized in delivering proprietary patches to the same extent, or IBM’s customer base for certain older products is smaller. IBM might quietly allow third-party activity so as not to upset clients.
  • IBM Hardware: Third-party maintenance is common across the industry on the hardware side (mainframes, Power Systems, storage). IBM hardware customers often use independent maintainers for equipment that’s out of IBM warranty or service. While not thrilled to lose that business, IBM has been unable to prevent it; maintenance competition has existed for decades. Sometimes, IBM collaborates with third-party maintainers via partner programs or sells spare parts. The legal issues are minimal as long as any firmware software is properly licensed.
  • IBM’s Tactics: Rather than fighting legally, IBM tends to compete on service quality or bundle support with other deals. IBM also offers its flexible support packaging. For example, IBM might say, “if you keep supporting these products with us, we’ll give you a discount on a hardware upgrade” – using sales tactics rather than suing a third-party provider. IBM also has a vast services division (IBM Global Services), sometimes supporting other vendors’ software under outsourcing agreements. This means IBM is in the business of third-party support from another angle (IBM might support your Microsoft or Oracle products as part of an outsourcing contract). Given this perspective, IBM can hardly claim that third-party support is illegitimate. IBM’s website acknowledges that independent third-party support is an accepted practice in IT, cautioning customers to ensure their licenses are valid​.
  • Recent Trends: IBM’s focus recently has been on cloud and cognitive solutions, and it divested some legacy software (e.g., Notes/Domino went to HCL). Where IBM has divested, often the new owner continues support, but third parties also step in. IBM likely views third-party support as a manageable competitive factor rather than an existential threat.

So, CIOs will find a more relaxed climate for third-party support for IBM environments. The key is still to follow the license rules (which, in IBM’s case, means not to exceed your usage rights, and note that IBM licenses are often audited, too). IBM audits tend to be less notorious than Oracle’s, but they do happen. One specific IBM wrinkle: IBM licenses often have a compliance term that if you lapse support, you might not be able to get certain updates or resume support without a fee (similar to others). But IBM also sometimes allows à la carte or per-incident support, depending on the product, even if you’re not on contract.

Other Vendors (Microsoft, etc.): The question focuses on Oracle, SAP, IBM, but briefly, in comparison:

  • Microsoft: Generally, third-party support isn’t a big issue because Microsoft products have many avenues of support (e.g., community, partners). Microsoft doesn’t lock down support similarly; if you have a Windows or SQL Server license, Microsoft doesn’t force you to buy a support contract at all – many customers use it without any support or with a Microsoft Premier Support arrangement as needed. Microsoft also opens up some code and has a broad ecosystem, so third-party support is quite normal (think of Linux, etc., where third-party support is the norm). So this is less contentious.
  • Oracle vs SAP vs IBM in summary:
    • Oracle: Most restrictive stance, legally tested in courts, adversarial to third-party support providers.
    • SAP: Prefers you stay, but no major direct legal attacks on independent providers post-TomorrowNow; focuses on product evolution to entice customers to stick with SAP’s roadmap.
    • IBM: Generally tolerates third-party support and maintenance; competition is more on service offerings than legal barriers.
    • Other enterprise software (Salesforce, etc.): If it’s cloud/SaaS (like Salesforce), third-party “support” can only be supplemental (since the vendor runs the service). For on-premises enterprise software (like IBM, Microsoft, etc.), third-party support is typically legal and available, but vendor reactions vary.

CIOs should evaluate each vendor relationship separately. Oracle, being uniquely aggressive, might be the one where third-party support yields the most savings but requires the most procedural rigor to execute safely. The path may be smoother with SAP and IBM, but still requires diligence.

7. Recommendations for CIOs Considering Third-Party Support

If you are a CIO or IT executive weighing a move to third-party support for Oracle systems, here are strategic recommendations to ensure a successful transition with minimal risk:

1. Review Your Contracts and Rights Meticulously: Gather and review all your Oracle (and other vendor) license agreements and support policies​before making any changes. Pay special attention to:

  • Support termination clauses: What notice is required to cancel Oracle support? (Typically 30 or 60 days before renewal.)
  • Any penalty or reinstatement fee clauses if you later re-enroll.
  • “License set” or matching support level rules that might affect partial cancellations​.
  • If you have an Unlimited License Agreement (ULA) or cloud subscription, understand that you may be contractually obligated to stay on Oracle support for that term​. Plan to exit the ULA (via certification or buy-out) if you want to switch support after it ends.
  • Perpetual license verification: Ensure you indeed have perpetual rights to use the software version you need. If something is term-based or leased, you can’t use it without Oracle’s renewal.

Consider engaging a license expert or legal counsel specializing in Oracle contracts to assist with this review. They can identify hidden “gotchas” and help you interpret what you can and cannot do. The goal is to have a clear legal roadmap of your entitlements.

2. Conduct an Internal License Audit (Compliance Check): It’s wise to audit your own Oracle deployments before Oracle does​. This means:

  • Inventory all installations, usage metrics (users, processors, cores, features in use).
  • Reconcile with what you have purchased and are entitled to. Fix any compliance gaps now – e.g., if you’re using Oracle options or packs that weren’t licensed, either remove them or negotiate a license before leaving support.
  • Ensure you have documentation for all your licenses, including proofs of purchase and any special terms.
  • Check that you aren’t reliant on any Oracle provided cloud services or support services that would vanish post-support (for instance, some customers rely on Oracle’s MetaLink/My Oracle Support knowledge base – after leaving, you’ll lose access, so download any critical documents or patches beforehand​).
  • By self-auditing, you can approach the switch confidently and reduce the risk that Oracle finds a non-compliance issue to leverage against you later.

3. Archive Patches and Documentation: Before your Oracle support expires, download all relevant patches, updates, and technical documentation you might need for your current software versions​. This includes:

  • Latest patch sets / Patchset Updates (PSUs) or Critical Patch Updates (CPUs) for your database versions.
  • Latest bundled patches or fixes for applications (EBS, etc.) up to your end date.
  • Documentation includes installation media, user guides, and any support notes for known issues.
  • Essentially, build a library of Oracle materials you are entitled to as of the last day of your support. Once support is lapsed, you legally cannot log in to Oracle’s support site. Your third-party provider can often help identify what patches are important to grab. Having this repository ensures that if an issue arises, Oracle has already fixed it before the switch, and you have the fix available.

4. Choose a Reputable Third-Party Provider (Due Diligence): Not all providers are equal. Vet the third-party support firm thoroughly:

  • Track record: How long have they been in business? Do they have references in your industry or for supporting the Oracle products you use?
  • Legal history: Have they been involved in any litigation with Oracle or others? How did they resolve it? Ideally pick a provider with a clean (or cleaned-up) record who demonstrates strong compliance processes.
  • Methods: Ask them to explain how they deliver support in light of Oracle’s restrictions. A good provider will openly describe how they avoid IP infringement (for example, working only on your environments, not sharing code between customers, etc.). This not only gives peace of mind, but it also indicates their professionalism.
  • Support depth: Ensure they have the necessary expertise – e.g., if you have Oracle E-Business Suite with heavy customizations and a specific database version, do they have experts in EBS, in that database, in your operating system, etc.?
  • Security and certifications: Since they will be handling your systems, check if they have security standards like ISO 27001 or SOC 2 compliance. Also, inquire about how they handle sensitive data or remote access.
  • Financial stability: You want the provider to be around long-term. Evaluate their financials or size to be sure they won’t disappear or get acquired by Oracle (unlikely, but worth considering longevity).
  • Service Level Agreements: Negotiate SLAs that meet your needs, and include provisions that protect you – for example, if they cannot solve an issue, can you get support from a third party or Oracle on a one-off basis? Some customers keep a clause to allow Oracle to engage on a time-and-materials basis if necessary (Oracle can offer paid consulting even if you’re not on support).

5. Plan the Timing and Communications: The process of switching should be planned like a mini-project:

  • Timing: Align the switch with your support renewal cycle. Most customers switch on the day their Oracle support expires to maximize the value of what they paid for and avoid any gap. Mark that date and work backwards for when to notify Oracle of non-renewal (typically at least 30 days prior as required by contract).
  • Notification to Oracle: Craft a brief, factual notification to Oracle (usually to your account manager or via the formal process in the contract) stating you will not renew support for certain licenses. You do not have to detail your reasons. Oracle might respond by implementing “customer retention” efforts. Be prepared for escalations – high-level Oracle executives often call to persuade you to stay, perhaps offering discounts. Decide in advance how firm your decision is or if you’d entertain a significantly better deal from Oracle.
    In many cases, Oracle might suddenly offer a 50% discount to keep you, which tells how much margin they have. Some CIOs use the third-party option as leverage to negotiate down Oracle’s price. You could see what Oracle counters with if you’re open to that. Be cautious: accepting a discount may come with multi-year lock-in or other commitments.
  • Internal Communication: Ensure your team and stakeholders are on board. Moving to third-party support might require a mindset shift for your IT staff—they’ll be calling a different help desk and cannot access Oracle’s knowledge base. Train them on the new process and emphasize the benefits (and the dos and don’ts of license compliance).
  • Contingency Plan: Have a backup plan or safety net. For example, if in the first 3-6 months, third-party support does not meet SLAs, what will you do? Perhaps maintain a relationship with an Oracle partner or keep an option to go back to Oracle (knowing it’s pricey). Such issues usually don’t occur if vetted well, but prudent planning never hurts.

6. Be Audit-Ready and Maintain Documentation: After the switch, operate with the expectation that Oracle (or SAP, etc.) could audit you. This means:

  • Keep all proof of entitlements handy (the archive of contracts, proof of patches downloaded while entitled, etc.).
  • Document any changes the third-party provider makes to your systems (in case Oracle questions an environment later, you can show it was a custom change, not an Oracle patch applied without entitlement).
  • Continue to monitor license usage. Just because you’re off Oracle support doesn’t mean you can deploy software freely – you still must purchase licenses for any new deployments. Sometimes, a false sense of freedom can creep in; instill compliance discipline in your teams.
  • If Oracle announces an audit, consider immediately engaging a licensing advisor or legal counsel. Do not simply start answering audit scripts without a strategy. Many companies that moved to third-party support successfully navigated audits by being well-prepared and sometimes having third-party licensing firms assist.

7. Monitor Vendor Stance and Market Developments: Monitor ongoing legal or industry developments. For instance, if Oracle’s litigation with a provider evolves (e.g., an appeal decision that changes what the provider can do), understand how that might impact you. Stay in touch with peers or user groups – many Oracle users discuss third-party support experiences. In addition, Oracle’s product roadmap must be monitored. If Oracle suddenly decides to offer a new kind of lower-cost support or if it extends support for your version, that could influence your strategy. Vendors occasionally adjust policies when they see many customers opting out (for example, Oracle has sometimes offered “Extended Support” fee waivers for certain versions to dissuade defection).

8. Consider a Vendor-by-Vendor Approach: If your IT landscape includes multiple vendors (Oracle, SAP, IBM, etc.), you don’t have to make one blanket decision. Depending on where the value lies, you might keep Oracle on third-party support while staying with SAP’s support, or vice versa. Each vendor’s situation (contracts and plans for future upgrades) should be assessed separately. That said, consider overall vendor management: sometimes staying on official support with one vendor might earn goodwill in negotiations on another product. It’s a complex dance. Align the decision with your broader IT sourcing strategy and maybe discuss at the CIO level with other executives if multi-vendor concerns exist.

9. Leverage Legal Counsel for Peace of Mind: Given the legal nuances, having your legal team or external counsel formally review the third-party support agreement and your Oracle agreement is important. They can ensure that the contract with the new provider has appropriate indemnification clauses (e.g., the provider will defend you if Oracle claims they are infringing) and that you are not inadvertently agreeing to anything problematic. Also, counsel can draft your communication to Oracle about ending support to ensure you fulfill contract terms without over-sharing information.

10. Focus on Strategic Value: Finally, frame the decision as a cost-cutting move and a strategic realignment. The money saved should ideally be used for innovation or modernization that was otherwise starved of funds. This helps win internal support (CFO, CEO) for the decision. It also means that you can show tangible business improvements funded by this change in a couple of years. That narrative – “we saved $X million, which we invested into digital transformation” – can outweigh any lingering doubts about leaving Oracle’s umbrella.

In conclusion, third-party support for Oracle products can be a legal and smart choice when approached methodically. While intimidating, Oracle’s tactics should not dissuade organizations that have done their homework and have a solid plan. Many CIOs have trodden this path and emerged with significantly lower costs and equal or better service levels. By understanding the legal landscape, learning from the major court cases, and taking prudent precautions, you can confidently decide whether third-party support is right for your Oracle estate. And if you proceed, you’ll be well-positioned to reap the benefits while keeping compliance risk in check, truly getting the best of both worlds: cost efficiency and operational stability, legally sound.

Author

  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, improving organizational efficiency.

    View all posts