Open-Source Compliance Expert - przemysł farmaceutyczny

Join our team working on projects for one of the largest pharmaceutical companies in the world and have a real impact on the lives and health of more than 15 million patients!

We are seeking an experienced and detail-oriented Open-Source Compliance Specialist to join our team. This role bridges software engineering, legal, and compliance functions to ensure our use of open-source software (OSS) complies with licensing obligations and aligns with our product and business goals.

Your tasks

• Evaluate SBOMs generated from internal tools or suppliers for OSS license compliance

• Classify and interpret open-source licenses (e.g., MIT, Apache, GPL, LGPL, AGPL, etc.), and flag potential risks or obligations

• Conduct impact analysis for license incompatibilities or usage restrictions (e.g., copyleft triggers)

• Track and review OSS updates in products during development, release, and maintenance

• Maintain internal documentation related to open-source policies, licensing exceptions, and compliance workflows

• Collaborate with product lifecycle, DevOps, and cybersecurity teams to integrate compliance checks into CI/CD workflows

Requirements

• Bachelor's or Master's degree in Computer Science, Software Engineering, Law, or a related field

• Over 5 years of experience in open-source license compliance, preferably in a regulated or product-driven environment

• Strong knowledge of OSS licenses, obligations, and best practices for permissive, weak, and strong copyleft licenses

• Familiarity with reviewing and interpreting SBOMs (SPDX, CycloneDX) and related tooling (FOSSA, Black Duck, ORT, Syft, etc.)

• Understanding of software architecture and development, CI/CD pipelines, and various diagram and concepts

• Excellent communication skills and ability to explain technical issues in legal or business contexts with the use of fluent English

• Fluent Polish required

• Residing in Poland required

Nice to have

• Experience in MedTech, automotive, or other regulated industries

• Knowledge of security vulnerabilities associated with OSS (CVEs, SBOM-driven risk mitigation)

• Familiarity with ISO/IEC standards like ISO 5230 (OpenChain), ISO 62443, or IEC 62304