I count software for a living. So when a client forwards me an Oracle Java quote, the first thing I do is ask how they got to the number. The answer is almost always the same, and it is almost always a shock. The bill is not priced on how much Java you run. It is priced on how many people you employ.
Oracle moved Java SE to a Universal Subscription in January 2023. The old model counted processors or named users. The new one counts employees. Every full-time worker, every part-time worker, every temp, every contractor. List price starts at $15 per employee per month. Run the math on a 10,000-person company and you are looking at $1.8M a year. The number of actual Java installs does not enter the calculation.
The metric is the trap, not the software
Here is what I keep seeing in the field. A company has Java on a few dozen servers. Maybe a hundred. The technical footprint is small and they know it. Then the quote arrives sized to their entire headcount and the room goes quiet. That gap between what you run and what you pay is the whole point of the metric. Oracle is not selling you licenses for your Java estate. It is selling you a subscription priced on your payroll.
A 10,000-person firm with Java on 50 servers pays the same as a 10,000-person firm with Java on 5,000 servers. The usage is irrelevant to the bill.So, the first number you need is not how many installs you have. It is how many employees Oracle thinks you have, and whether you have any obligation to license them at all.
The “security patch” call is a sales call
The second pattern shows up in the calendar before it shows up in the quote. An Oracle rep books a friendly meeting. They call it a security walkthrough or a health check. The pitch sounds responsible. Older Java versions have unpatched vulnerabilities, and to keep receiving security patches you need a paid subscription. True on the surface. The part they leave out is that the call is a discovery exercise, and the questions are designed to map your Java footprint for a future bill.
This is the part most teams miss. The free Oracle JDK 8 updates stopped at version 8u202 back in January 2019. Everything from 8u211 onward needs a commercial subscription for business use. So, the rep is technically correct about the patches. They are just using a real security concern as the doorway to an employee-metric quote.
Do not hand a publisher your full inventory on a discovery call. That is a fishing expedition, and the catch is your headcount.
What We’re Seeing in Engagements Right Now:
Across the engagements I work, the list math runs to seven and eight figures for companies whose real Java usage is a rounding error.
One pattern repeats: the quote assumes every Java in the building is Oracle’s and every install is licensable. Neither is usually true. Much of what gets counted is a non-Oracle distribution, or Java already covered by another product, or installs nobody can confirm are still in use.
What to verify before you answer Oracle
Before you concede a single dollar, count the things that actually move the number.
- First, which Java versions are you running, and are they Oracle’s or someone else’s? Oracle Java and a distribution like Eclipse Temurin are not the same product, and only one of them carries this bill. You distinguish them by publisher and product, not by the word “Java.”
- Second, is your Java already covered? Plenty of it is. Some enterprise content platforms require Java and bundle the entitlement. Oracle E Business Suite includes a Java right. A JDK used only for an Oracle cloud plugin is bundled, not separately licensable. Coverage you already paid for should never be quoted to you twice.
- Third, where does Java actually live? It hides inside third-party applications you cannot simply uninstall. It runs on locked down networks you cannot scan, the industrial and transit systems where nobody is touching the box. You find it by chasing dependencies server by server, asking the owner whether the thing still needs Java at all.
The bill is sized to your payroll. Your real exposure is sized to what you run, what you already cover, and what is even Oracle’s to charge for. Those are different numbers, and the distance between them is where the money is. Size the real one before you talk to anyone. Count it yourself, or have someone independent count it for you, because the publisher counting it for you has already shown you which number they prefer.
MetrixData 360 helps enterprises defend their Oracle Java audits and reviews by establishing the number that actually matters before Oracle gets to define it. That means independently counting your Java estate, separating Oracle JDK from non-Oracle distributions like Temurin, identifying installs already covered by other entitlements, and stripping out what is dormant or not Oracle’s to charge for in the first place. By the time you sit across from Oracle, you are negotiating from a defensible, evidence-based position sized to your real exposure, not to your payroll.
If a “security walkthrough” is already on your calendar, or a Universal Subscription quote has already landed, that is the moment to bring in independent counsel. Talk to us before you answer Oracle.
Written by Sharon Idaraji, SAM Specialist/Consultant at MetrixData 360.
