Case study: Open Source Software Compliance / Risk Management

Outside GC and Patent GC:
Navigating Open Source Software Compliance and Risk Management

The ubiquitous and prolific growth in the use of open source software is as remarkable as it is complex. What started as a small movement 40 years ago is now a prevailing business practice touted for lowering costs, improving quality and increasing speed to market. Today, 90% of the world's smartphones are based on an Android operating system, 75% of cloud platforms run Linux, and 70% of the world's websites are built on WordPress, Joomla, and Drupal. Open source software is essentially everywhere and in everything.

Despite its prevalence, the use of open source software is not without its risks. Perhaps the most notable current risk is the threat of cyberattacks and data breaches caused by security vulnerabilities resulting from the unmonitored use of open source software. Many companies do not appreciate the fact that open source software is third party code, and unknowingly permit software developers and outsourcing companies to introduce open source –wiped clean of its licenses and notices, in some cases – without any internal review, resulting in a significant portion of code base unmaintained against security vulnerabilities.

Other risks related to open source software usage include the potential contamination of proprietary code through copyleft licenses, such as the various versions of the GNU General Public License (“GPL”) and the threat of litigation based on the broad scope of the GPL. Like other open source licenses, the GPL provides the right to end-users to modify and share the software; but goes a step further in asserting that any code “derived” from the original open source software must itself be made available in open source format under the same GPL license. This position has led some to claim that the GPL extends to proprietary code compiled with unmodified GPL code; and recently, creative new litigation models asserting the rights of licensees have been advanced by compliance trolls in Germany and the USA. Finally, open source software can present obstacles to M&A-related activity involving software assets. During routine open source audits, unknown and/or unmaintained open source software is invariably found, which can lead to a diminution in value of the company being acquired.

Once these risks are understood, companies are quick to appreciate the importance of a cohesive open source software strategy, coupled with a comprehensive compliance and risk mitigation program. However, few companies have an internal resource who understands the complexities of open source software issues. Outside GC’s and Patent GC’s teams of former in-house lawyers include several lawyers with extensive open source software expertise and experience advising clients on how to develop effective open source software compliance and risk mitigation programs, and who would be happy to discuss your unique needs in this fast-evolving and critical area.

The following case studies of actual client work illustrate the scope of our open source capabilities:

Case Study: Large Financial Institution

A member of the Board of Directors of a large financial institution (“Fin Co”) learned of the security risks posed by the use of unmonitored open source software and requested a scan of the code base at Fin Co. As is typical of an open source code scan across all industries developing software, thousands of instances of unmonitored open source software were discovered, including many instances of code with high security vulnerabilities according to the National Vulnerability Database. An internal team at Fin Co was put together to remediate the situation.

As internal legal resources were limited, Fin Co considered bringing in an external legal resource. After approaching several large law firms, Fin Co was introduced to Outside GC. Impressed by the firm’s practical approach, affordable rates, and most importantly, the extensive open source experience of CA-based partner, Frank Fletcher, Fin Co. hired Outside GC to handle the seemingly arduous task of designing and implementing an open source compliance program.

Frank’s deep and nuanced understanding of the open source ecosystem is the result of over 15 years of general counsel experience for technology companies, including Nero AG, a German multi-media software company, and Sun Microsystems. Frank’s first objective with Fin Co.’s project was educating key constituents within the company about open source and the software development process, which he did through a series of weekly conference calls for employees from all sides of organization (legal, business and technology). Frank focused on critical topics such as trusted open source repositories, security issues caused by vulnerabilities in software code, and infringement risks related to non-compliance and the recent rise of compliance trolls.

Frank then guided Fin Co. through a review of the results of the open source scan, advising the company to categorize its open source code into groups with graduating levels of risk. Compliance protocols for each category were developed based on the company’s risk tolerance position. With the support of an automated compliance program provided by a third party, Fin Co. has now successfully implemented the compliance program, with Frank remaining available to advise the company on complex license issues requiring an individualized risk analysis that may arise from time to time. Fin Co can now be considered at the forefront of open source security vulnerability remediation and open source compliance.

Case Study: Small Technology Company

“Tech Co.” is a small, venture-backed company with proprietary software assets. The company’s product development team routinely incorporates open source software into its software products. Desiring to be a “good citizen” within the open source community, Tech Co. attempted to manage its compliance obligations relating to open source software by requiring its engineers to seek internal review of the open source licenses by the in-house legal department prior to use. However, this process presented both budgetary and timing constraints for the company’s product engineering team.

Tech Co. realized that it needed a more efficient system for license management, and reached out to Patent GC for guidance on developing and implementing realistic compliance policies and procedures. Tech Co. was introduced to Michelle Rosenberg, a Member of Patent GC and an IP attorney with considerable open source licensing experience, and has since relied on her to advise them on open source software matters.

Michelle first met with Tech Co.’s in-house legal group to present a comprehensive overview of open source license management best practices, as well as a review of the compliance and risk management issues relating to its use. After assessing the company’s risk tolerance, Michelle then prepared a set of practical, functional policies and procedures based on various license types and the levels of risk associated with each. Among other things, this approach would empower the engineering team to make decisions in real-time, allowing them immediate access to open source software subject to certain licenses and providing a streamlined process for escalating other licenses to the legal department for approval. Additionally, this program included a process for tracking open source software embedded in Tech Co.’s proprietary products to help the company fulfill requests for such information from its licensees.

Tech Co.’s in-house lawyers took the lead on adapting Michelle’s recommendations to suit their specific needs, and Michelle remains a resource when complex license issues require additional review.


Frank Fletcher is a Partner with Outside GC LLC’s California-based team. He has over 15 years of in-house experience in software, digital media and on-line privacy, including extensive open source software expertise. His LinkedIn profile is available at: www.linkedin.com/in/frankfletcherprofile. Frank can be reached at ffletcher@outsidegc.com

Michelle Rosenberg is a Member of Patent GC LLC. She has over 20 years of experience in both large Boston law firms and in-house at technology companies. Michelle’s engineering background enables her to communicate and help resolve open source issues with employees from all sides of organization (legal, business and engineering). Michelle also served as chief IP counsel for RSA Security (now part of Dell Inc.) and has particular expertise in security issues and technology. Her LinkedIn profile is available at: https://www.linkedin.com/in/mbrosenberg/. Michelle can be reached at mrosenberg@patentgc.com.

Contact us to learn how our on-demand general counsel services can meet the specific needs of your business affordably and responsively.

Other Client Case Studies