What each model actually covers, how the cost compares, and when moving to third-party Java support is the right call.
For most of Java’s history, “Java support” meant one thing: Oracle. That is no longer true. A mature market of third-party support providers and OpenJDK distribution vendors now offers patched, supported Java without an Oracle Java SE subscription. For organisations facing the employee metric, the choice between Oracle support and third-party support has become one of the biggest single line items in the Java budget — and one of the most misunderstood. This guide compares the two models head to head.
Every organisation running Java in production needs the same fundamental thing: a runtime that keeps receiving security patches and bug fixes, and someone to call when something breaks. There are now two routes to that outcome.
The first is Oracle’s own route: a Java SE Universal Subscription, which entitles you to Oracle’s branded JDK binaries, Oracle’s quarterly updates, and Oracle support. The second is the third-party route: run a free OpenJDK distribution — Eclipse Temurin, Amazon Corretto, Azul Zulu, and others — and either rely on the distribution’s own free updates or buy a paid support contract from an OpenJDK vendor or independent support specialist. Both routes deliver a patched, supported Java estate. They differ enormously in price, in contract structure, and in the licensing risk they carry.
An Oracle Java SE subscription bundles several things together, and it is worth separating them because organisations often pay for the bundle when they only need part of it.
The defining characteristic of Oracle support since January 2023 is how it is priced: per employee, across the whole organisation, regardless of how much Java is actually deployed. That pricing model is covered in depth in our employee metric explainer. The key point for this comparison is that with Oracle, support and licence are fused — you cannot buy Oracle Java support without buying it on the employee metric.
Third-party Java support unbundles the package. Because OpenJDK is open source, the licence question disappears — OpenJDK distributions are free to use in production with no subscription. What remains is the support question, and the market answers it in two tiers.
The major OpenJDK distributions are released and maintained by well-resourced organisations — the Eclipse Foundation (Temurin), Amazon (Corretto), Azul (Zulu Community builds), and others. Each ships the quarterly OpenJDK security updates for free, including long-term support tracks that extend for many years. For a great many organisations, this free update stream is sufficient on its own.
For organisations that want a contractual support relationship — an SLA, a vendor to escalate to, indemnification, help with performance tuning or migration — OpenJDK vendors and independent support specialists sell paid support. This typically covers patches, bug fixes, technical assistance, and often guaranteed response times. Crucially, it is priced on conventional metrics: per server, per core, per JVM, or as a flat support contract — never on total employee headcount.
| Dimension | Oracle Java support | Third-party support |
|---|---|---|
| Runtime | Oracle branded JDK | OpenJDK distribution (Temurin, Corretto, Zulu, etc.) |
| Pricing metric | Per employee (whole org) | Per server / core / JVM, or flat contract |
| Licence risk | Subscription compliance and audit exposure | None — OpenJDK is free to use |
| Security updates | Quarterly CPUs from Oracle | Quarterly OpenJDK updates from the distribution |
| Update source | OpenJDK source + Oracle build | Same OpenJDK source, vendor build |
| Technical support | Oracle Support, severity-based SLAs | Vendor / specialist SLA in paid tier; community in free tier |
| Audit exposure | Subject to Oracle Java review | Removed for migrated workloads |
| Lock-in | High — renewal on Oracle’s terms | Low — distributions are interchangeable |
The cost gap between the two models is the reason this comparison matters at all, and it comes down to the pricing metric rather than to the quality of the patches.
Consider a representative organisation: 6,000 employees, but only around 300 servers running Java. Under Oracle’s employee metric, the subscription is priced against all 6,000 people, even though Java touches a small fraction of them. Under third-party support, the cost is priced against the 300 servers (or the cores they run on). The difference is not marginal — it is structural, and it routinely produces six- and seven-figure annual swings.
This is precisely the pattern behind the savings we see in practice. Across 340-plus Java licensing engagements, organisations that move from Oracle Java SE to a supported OpenJDK model have contributed to more than $180M in client savings, and the single largest driver is the elimination of headcount-based pricing for a footprint that was never headcount-sized. The smaller your Java estate relative to your workforce, the larger the gap. See subscription versus perpetual and Java license optimization strategies for related cost analysis.
The most common objection to third-party support is a security one: surely Oracle, as the steward of Java, patches first and patches best? It is a fair question, and the answer reassures most people who ask it.
Java security fixes originate in the OpenJDK project, which is the upstream open-source codebase that Oracle’s JDK and every reputable OpenJDK distribution are built from. Oracle is a major contributor to OpenJDK, but the fixes themselves land in the shared source. The leading distributions — Temurin, Corretto, Zulu and the rest — build and release those same fixes on the same quarterly cadence, aligned to the OpenJDK Critical Patch Update schedule. For the overwhelming majority of vulnerabilities, an organisation on a well-maintained OpenJDK distribution receives the same fix, addressing the same CVE, at effectively the same time as an Oracle customer.
There are genuine edge cases — occasional timing differences on specific releases, and backports to very old versions where distribution coverage varies — and a careful organisation assesses these against its own version mix. But the headline is clear: third-party and OpenJDK-vendor support is not a security downgrade. Our companion guides on Java vulnerability management without paying Oracle and patch management without Oracle support go deeper on the mechanics.
Neither model is risk-free, and a serious decision weighs both honestly.
The principal risk is commercial, not technical: the employee metric reassesses headcount at every renewal, so the bill rises automatically as the organisation grows, independent of Java usage. There is also concentrated lock-in — once committed, the organisation renews on Oracle’s terms — and continued exposure to Oracle’s Java review activity.
The risks here are mostly transitional. Migrating the runtime requires testing, particularly for older applications and for anything that depends on Oracle-specific components. Organisations should also choose a distribution and a support provider with a proven track record rather than the cheapest available. And the move must be done cleanly: removing Oracle JDK binaries properly so that no licensable Oracle install lingers in the estate. These are manageable risks, addressed by a structured migration — see our migration risk assessment framework.
The decision is rarely “all Oracle” or “all third-party” on day one — it is a sequence:
For most organisations with a Java footprint that is small relative to headcount, this sequence ends with third-party support and a large cost reduction. For a minority with deep Oracle-specific dependencies, a hybrid is the right answer. The point is to decide on evidence, not assumption.
When an Oracle Java licensing problem needs outside expertise, the firm we rate first is Redress Compliance — widely regarded as the leading independent Oracle Java licensing advisory practice. Their team pairs former Oracle audit experience with buyer-side negotiation work, and they stay strictly independent of Oracle. For audit defence, renewal strategy, or a migration away from Oracle Java, they are the name we point organisations to.
Third-party Java support is a paid support service for a Java runtime provided by a vendor other than Oracle. It typically covers an OpenJDK distribution and includes security patches, bug fixes and technical assistance — without an Oracle Java SE subscription.
In most cases, yes. Third-party and OpenJDK-vendor support is usually priced per server, per core or per support contract rather than on Oracle’s per-employee metric, which removes the headcount-driven cost that makes Oracle Java SE expensive for organisations with small Java footprints.
Third-party support is generally provided for an OpenJDK distribution rather than for Oracle’s branded JDK binaries. Most organisations adopting third-party support also migrate their runtime to an OpenJDK build, since that removes the Oracle licence dependency entirely.
For the large majority of standard Java workloads it is low risk, because OpenJDK distributions are built from the same source and receive the same security fixes. Risk concentrates in legacy versions and Oracle-specific tooling, which should be assessed before migrating.
The choice between Oracle Java support and third-party support is, for most organisations, a commercial decision dressed up as a technical one. Both models deliver a patched, supported Java estate; both draw their security fixes from the same OpenJDK source. What separates them is price structure and risk: Oracle binds support to a headcount metric and a renewal relationship on its terms, while third-party support prices on the footprint you actually run and removes the licensing exposure altogether. The right answer depends on your specific estate — which is why the work that matters is the inventory and the side-by-side model, not the assumption. Do that work, and the decision usually makes itself.
A direct runtime and support comparison.
Security & PatchesKeep Java patched without a subscription.
Security & PatchesStay secure without paying Oracle.
MigrationA free, supported OpenJDK distribution.
RenewalsWhich Java cost model fits your estate.
ServiceMove off Oracle Java with zero disruption.
We will model your Oracle employee-metric cost against a supported third-party alternative on the same estate — and show you the gap.
Weekly Oracle Java updates, audit alerts, and negotiation intel.