The email does not say audit. It says “Java usage review.” Or “ensuring your Java environments are properly licensed.” It is courteous, it comes from a sales or licensing rep rather than legal, and it asks for a quick call to confirm a few things.
That email is the opening move in an Oracle Java audit. How you respond in the first 48 hours sets the ceiling on what you pay.
Here is the short version. Do not reply with details. Do not get on the call yet. Do not run the script Oracle sends you. Oracle already has more data than you think, and the metric they license Java under means your bill is calculated on your entire headcount, not the handful of people who actually use Java. Before you say anything back, you need to know your own position better than they do.
This guide explains what Oracle can see, why the exposure is larger than your Java footprint, and what to do in the order it needs doing.
Why Oracle is auditing Java now
In January 2023, Oracle changed how it sells Java. The old model priced Java by the processor or the named user. The new one, the Java SE Universal Subscription, prices it per employee.
Not per Java user. Per employee.
Oracle’s own definition is broad. An “employee” for the subscription counts all full-time, part-time, and temporary staff, plus the full-time, part-time, and temporary staff of any agents, contractors, outsourcers, and consultants who support your internal operations. If 60 developers run Oracle Java and you employ 4,000 people, Oracle prices the subscription against 4,000.
That single change turned Java from a line item into a compliance event. And Oracle has spent three years building the case.
Since 2019, Oracle has logged downloads of its Java binaries: the IP address, the corporate domain tied to the account, the timestamp, whatever login was used. Installed copies that were never disconnected from Oracle’s servers also check in for updates, which leaves a trail. By the time the “usage review” email lands, Oracle often already knows your company pulled Oracle Java, when, and roughly where. By then the review is a confirmation of a number they have largely built, not a question about whether you use Java.
What an Oracle Java audit actually looks like
A formal Oracle audit cites the audit clause in your contract and comes through License Management Services. Most Java engagements do not start there. They start soft.
The soft audit arrives as an email or a call from an Oracle sales rep or the Java global licensing team. The subject line reads something like “Oracle Java Usage Review Request” or “Follow-up: Java subscription status.” The tone is helpful. The word “audit” is usually absent. You may be offered a short questionnaire or a request to run a script that reports your Java installations.
The softness is the tactic. A friendly review feels like something you can handle on a quick call with a junior engineer. So companies answer fast, volunteer deployment data, and hand Oracle the confirmation it needs to convert a soft inquiry into a priced demand. The engagement only turns formal if the soft route stalls.
Treat the first email as the start of a negotiation, because it is.
The first 48 hours: what to do, in order
1. Acknowledge receipt. Commit to nothing. A one-line reply is fine: you have received the message and will route it appropriately. Do not confirm usage, headcount, versions, or deployment details. Do not agree to a call date that boxes you in. Anything you state now becomes Oracle’s starting number.
2. Route it to one owner. Pick a single point of contact, usually procurement or legal, and tell the rest of the organization not to correspond with Oracle directly. Audits widen when a well-meaning engineer answers a “quick technical question” and contradicts the official position. One door in, one door out.
3. Do not run Oracle’s script. Any tool or questionnaire Oracle provides reports data on Oracle’s terms and in Oracle’s favor. You are not obligated to run it during a soft review. Build your own picture first.
4. Start your own Java inventory. Find every machine running Oracle Java, the exact version and build number of each, and whether each came from Oracle or from an alternative distribution. This is the difference between negotiating from your data and reacting to theirs.
5. Pull your download and contract history. Check whether anyone has an active Oracle Java subscription, an old legacy agreement, or downloads tied to a corporate account. Oracle has this record. You need it too, so there are no surprises mid-conversation.
6. Get a defensible licensing position before you talk. By the time you engage Oracle on substance, you should know your real exposure, which installations are genuinely licensable, and which are not. Walking into the call without that is how a manageable number becomes a seven-figure one.
The pattern across these six steps is the same one that works for any publisher audit: slow the clock, control the data, and never let the vendor’s number stand as the baseline.
Why your exposure is bigger than your Java footprint
This is the part most teams get wrong, and it is the most expensive part.
Because the subscription is priced per employee, the size of your Java deployment barely matters to the bill. What matters is your headcount.
Run the published pricing. Oracle’s list price starts at $15 per employee per month for the first tier, falling to $12 for 1,000 to 2,999 employees and $10.50 for 3,000 to 9,999, with lower tiers above that. A 2,000-person company at $12 a month is roughly $288,000 a year. For all of Java. Whether 2,000 people use it or 20 do.
That math is why a few unlicensed downloads can surface a demand far larger than the cost of the software anyone is actually running. Oracle prices your company, not the software you run.
It is also why the answer is rarely “just buy the subscription.” Once you understand the metric, the real options come into view: remove Oracle Java where you do not need it, move to a free alternative distribution where you can, and license only what genuinely has to stay on Oracle. Buying first and reconciling later is how companies lock in a headcount-based bill for years.
The NFTC trap: “free” Java that quietly stops being free
Plenty of teams believe they are covered because they run a free version of Oracle Java. Sometimes true. Often not, and the reason is timing.
In September 2021, alongside Java 17, Oracle introduced the No-Fee Terms and Conditions license, the NFTC. It permits free use, including commercial and production use. The catch is in one word: time-limited.
Each release stays free under the NFTC only for a set window, then Oracle moves that version’s ongoing updates onto a paid license. Java 17 went free under the NFTC, and its free updates ended in September 2024. The last no-fee build was 17.0.12 from July 2024. Every Java 17 security patch after that requires a subscription for production use. Java 21 stays free under the NFTC until September 2026, and then the same clock runs out.
So the trap works like this. You adopt a free version in good faith. A year or two later its free window closes. Your team keeps applying security patches, because not patching is not an option. Each of those patches is now a licensable event, and you may not know it happened. Oracle does, because the updates checked in.
If your defense is “we only run free Java,” the first thing to verify is which build, and whether its no-fee window is still open.
Five things that inflate an Oracle Java demand
Most overexposure traces to the same five sources. Knowing which one is driving your number tells you where to push back.
1. Counting Oracle Java you do not need. Installations on machines that could run a free alternative, or that do not need Java at all, still count toward a demand if Oracle finds them. Removal before reconciliation is the cleanest reduction there is.
2. Patched versions past their free window. As above. Security updates applied after a release leaves the NFTC convert “free” use into licensable use. This is the single most common surprise in a Java review.
3. Counting the wrong headcount. The employee metric is broad, but it is not infinite. Oracle’s number is only as good as the headcount it is built on. The figure Oracle assumes is worth checking against what you can actually document.
4. Treating the soft review as the final number. The figure in the early conversation is an opening position, not a settlement. Companies that accept it as fact pay it as fact.
5. Letting the data leave before the position is built. Every script run, questionnaire returned, and detail volunteered before you have your own picture hands Oracle the advantage. Sequence matters more here than almost anywhere else in licensing.
How UMS handles an Oracle Java audit
We spent years running audits for the software publishers. We know how the demand is built, because we used to build them. That is the edge we bring to the other side of the table.
When an Oracle Java review lands, UMS Oracle audit defense rebuilds your real licensing position before Oracle’s number gets to stand: a true inventory, version and NFTC analysis, a defensible headcount, and a plan to remove or migrate what does not need to stay on Oracle. The same work covers Oracle database and middleware if the review widens, which it often does. Then we run the commercial conversation.
The Oracle Java number moves once the facts are rebuilt. In one public example, a Canadian municipality faced Java exposure priced across all 1,499 employees. UMS built the fact base, classified 216 Java endpoints, cleared 193 from immediate commercial concern, and narrowed the real follow-up to 23 endpoints and a 10-server remediation plan.
The approach carries across publishers. We cut a Fortune 500’s IBM audit exposure by more than 90 percent, and we have saved the City of New York more than $800 million across its software estate over a 25-year relationship. Control the data, correct the baseline, and never accept the publisher’s opening number.
The model removes the usual risk. Zero upfront, with the fee tied to the reduction we achieve. If you have an Oracle Java review email open right now, the most valuable 30 minutes you will spend this week is a call with someone who has sat on Oracle’s side of this conversation.
Frequently asked questions
Is an Oracle “Java usage review” the same as an audit? In practice, yes. It is a soft audit. It usually comes from sales or licensing rather than legal, and it avoids the word “audit,” but its purpose is to confirm unlicensed use and convert it into a subscription. Treat it with the same care you would a formal audit notice.
Can Oracle actually see that we downloaded Java? Largely, yes. Oracle has logged Java binary downloads since 2019, including the IP address, the corporate domain on the account, and the timestamp. Installed copies that stay connected to Oracle’s servers also check in for updates. By the time the review email arrives, Oracle often already has a download record tied to your company.
We only use the free version of Java. Are we safe? Maybe, and the deciding factor is the build number and its date. Free use under the NFTC license is time-limited per release. Java 17’s free updates ended in September 2024; Java 21’s run until September 2026. Security patches applied after a version’s free window closes require a paid subscription. Check which build you run before assuming you are covered.
How is the Java subscription priced? Per employee, not per Java user. Oracle counts all full-time, part-time, and temporary employees, plus contractors and consultants who support your operations. List pricing starts at $15 per employee per month and falls with volume. A 2,000-employee company can face a six-figure annual cost even if only a small team uses Java.
Should we just buy the subscription to make the review go away? Rarely the right first move. Because the metric is headcount-based, buying first can lock in a large recurring bill that proper remediation would have avoided. The better sequence is to inventory, remove or migrate what you can, and license only what must stay on Oracle.
What is the single most important thing to do in the first 48 hours? Stop volunteering data. Acknowledge the email, route it to one owner, and build your own licensing position before you engage on substance. Oracle’s opening number is a starting point, not a verdict.
Source notes
- Oracle Java SE Universal Subscription and the subscription FAQ: Oracle’s own description of the employee-based metric and the “employee” definition.
- Oracle Java SE Universal Subscription global price list (PDF): published per-employee tier pricing used in the cost examples above.
- Oracle JDK License FAQ: Oracle’s terms covering the NFTC license and free-use windows.
- Java 17 end of free commercial use FAQ (Azul) and Java 21 end of free commercial use FAQ (Azul): third-party reference on the NFTC timelines for Java 17 and 21.
- UMS Oracle audit defense: UMS service page for Oracle Java, database, middleware, and infrastructure audit response.