It's nothing to do with whether the applications are free to the end user or not: Veracode are doing some complicated, specialist analysis and their time and expertise don't come for free. The developers pay to have their code analysed.
If open source components are used in commercial applications, it's reasonable that the commercial developer, knowing that their security is only as good as their weakest compolnent, will pay to have open source code validated.
__________________ It is by coffee alone I set my mind in motion... |