I spent some time looking over your FAQ and performed other searches to try to find an answer:
For entities that use SecureDrop, how is licensing and use of grsec with Linux kernels newer than 4.9 handled?
Are you maintaining older patch files which were still opensource under GPL and upgrading them to work with newer kernels? (Effectively, maintaining a fork since last GPL release?) Using an exception, where the scripted process avoid a need for a commercial license?
Are sites that run SecureDrop with the default install expected to buy commercial licenses from grsec?
If a commercial grsecurity / grsec license is required, are there regions where it is not required?
If you have any links to documents or documents which discuss this issue, and legal risk mitigation wrt grsec licensing, please let me/us know.