Can a startup use an NDA to threaten me for reporting their open-source license violation?
Location: California, US. I worked as a software contractor for a small tech startup until late 2025. When I left the company I signed a standard non-disclosure agreement covering their proprietary algorithms and internal business operations.
A few weeks ago I was reviewing an open-source project that I contribute to regularly. I noticed that the startup recently released a commercial software tool that uses large blocks of our copyleft code word for word. Our open-source li cense strictly requires any derivative work to also be open-source and free, but they are selling this tool under a restrictive proprietary license.
They basically stole the communitys hard work to turn a quick profit. Because I know their codebase intimately from my time there, I can prove exactly which parts were lifted. I sent a polite email to their lead engineer pointing out the licensing violation and suggesting they comply before the open-source foundation gets involved.
Yesterday I reiceived a formal letter from their corporate attorney. It accuses me of violating my NDA by using knowledge gained during my employment to monitor their product. They are threatening a massive lawsuit for damages and tortious interference if I speak to the open-source foundation or anyone else about this.
The code they took is fully public on GitHub, so anyone could technicly find the similarity, but my email proved I was the one who noticed it. I feel an ethical obligation to protect the open-source community, but I am terrified of a costly legal battle. Can a company legally use an NDA to hide an ongoing copyright and license violation? What are my options here?