The ubiquitous and prolific growth in the use of open source software is as remarkable as it is complex. What started as a small movement 40 years ago is now a prevailing business practice touted for lowering costs, improving quality and increasing speed to market. Today, 90% of the world's smartphones are based on an Android operating system, 75% of cloud platforms run Linux, and 70% of the world's websites are built on WordPress, Joomla, and Drupal. Open source software is essentially everywhere and in everything.
Despite its prevalence, the use of open source software is not without its risks. Perhaps the most notable current risk is the threat of
Other risks related to open source software usage include the potential contamination of proprietary code through copyleft licenses, such as the various versions of the GNU General Public License (“GPL”) and the threat of litigation based on the broad scope of the GPL. Like other open source licenses, the GPL provides the right to end-users to modify and share the software; but goes a step further in asserting that any code “derived” from the original open source software must itself be made available in open source format under the same GPL license. This position has led some to claim that the GPL extends to proprietary code compiled with unmodified GPL code; and recently, creative new litigation models asserting the rights of licensees have been advanced by compliance trolls in Germany and the USA. Finally, open source software can present obstacles to M&A-related activity involving software assets. During routine open source audits, unknown and/or unmaintained open source software is invariably found, which can lead to a diminution in value of the company being acquired.
Once these risks are understood, companies are quick to appreciate the importance of a cohesive open source software strategy, coupled with a comprehensive compliance and risk mitigation program. However, few companies have an internal resource who understands the complexities of open source software issues. Outside GC’s and Patent GC’s teams of former in-house lawyers include several lawyers with extensive open source software expertise and experience advising clients on how to develop effective open source software compliance and risk mitigation programs, and who would be happy to discuss your unique needs in this fast-evolving and critical area.
The following case studies of actual client work illustrate the scope of our open source capabilities:
A member of the Board of Directors of a large financial institution (“Fin Co”) learned of the security risks posed by the use of unmonitored open source software and requested a scan of the code base at Fin Co. As is typical of an open source code scan across all industries developing software, thousands of instances of unmonitored open source software were discovered, including many instances of code with
As internal legal resources were limited, Fin Co considered bringing in an external legal resource. After approaching several large law firms, Fin Co was introduced to Outside GC. Impressed by the firm’s practical approach, affordable rates, and most importantly, the extensive open source experience of
Frank’s deep and nuanced understanding of the open source ecosystem is the result of over 15 years of general counsel experience for technology companies, including Nero AG, a German multi-media software company, and Sun Microsystems. Frank’s first objective with Fin Co.’s project was educating key constituents within the company about open source and the software development process, which he did through a series of weekly conference calls for employees from all sides of organization (legal, business and technology). Frank focused on critical topics such as trusted open source repositories, security issues caused by vulnerabilities in software code, and infringement risks related to non-compliance and the recent rise of compliance trolls.
Frank then guided Fin Co. through a review of the results of the open source scan, advising the company to categorize its open source code into groups with graduating levels of risk. Compliance protocols for each category were developed based on the company’s risk tolerance position. With the support of an automated compliance program provided by a third party, Fin Co. has now successfully implemented the compliance program, with Frank remaining available to advise the company on complex license issues requiring an individualized risk analysis that may arise from time to time. Fin Co can now be considered at the forefront of open source security vulnerability remediation and open source compliance.
“Tech Co.” is a small, venture-backed company with proprietary software assets. The company’s product development team routinely incorporates open source software into its software products. Desiring to be a “good citizen” within the open source community, Tech Co. attempted to manage its compliance obligations relating to open source software by requiring its engineers to seek
Tech Co. realized that it needed a more efficient system for license management, and reached out to Patent GC for guidance on developing and implementing realistic compliance policies and procedures. Tech Co. was introduced to Michelle Rosenberg, a Member of Patent GC and an IP attorney with considerable open source licensing experience, and has since relied on her to advise them on open source software matters.
Michelle first met with Tech Co.’s in-house legal group to present a comprehensive overview of open source license management best practices, as well as a review of the compliance and risk management issues relating to its use. After assessing the company’s risk tolerance, Michelle then prepared a set of practical, functional policies and procedures based on various license types and the levels of risk associated with each. Among other things, this approach would empower the engineering team to make decisions in real-time, allowing them immediate access to open source software subject to certain licenses and providing a streamlined process for escalating other licenses to the legal department for approval. Additionally, this program included a process for tracking open source software embedded in Tech Co.’s proprietary products to help the company fulfill requests for such information from its licensees.
Tech Co.’s in-house lawyers took the lead on
Frank Fletcher is a Partner with Outside GC LLC’s California-based team. He has over 15 years of in-house experience in software, digital media and
Michelle Rosenberg is a Member of Patent GC LLC. She has over 20 years of experience in both large Boston law firms and in-house at technology companies. Michelle’s engineering background enables her to communicate and help resolve open source issues with employees from all sides of organization (legal, business and engineering). Michelle also served as chief IP counsel for RSA Security (now part of Dell Inc.) and has particular expertise in security issues and technology. Her LinkedIn profile is available