Buying Proprietary Software? Protect Your Organization from Open Source Surprises

Buying Proprietary Software? Protect Your Organization from Open Source Surprises

Open source software has probablybeen the biggest driver of complex software solutions in the last decade.Access to a large variety of quality, peer-reviewed software has acceleratedproduct development, reduced product introduction intervals and lowered thecosts for producers of software and for those of us who leverage third partysoftware in our projects.

Many of us have heard about thetrouble that organizations have come across when using open source improperly…remember Cisco/Linksys, Katzer, and the BusyBox chronicles? You may think thatyour organization is safe because you are buying proprietary software. However,if your software supplier unknowingly incorporated open source into itsproduct, your organization may face unexpected legal and financial consequencesarising from open source licensing obligations and the resulting intellectualproperty infringement claims. The good news is that there are various tools availableat your disposal that can assist your organization in protecting itself fromsuch open source surprises, such as contractual measures such asrepresentations and warranties and indemnities; and extra-contractual toolssuch as software audits and a structured Open Source Software Adoption Process(OSSAP).

Some Basics About Commercial Contracts Relevant to Software Purchases

Commercial contracts includevarious provisions that protect and allocate risk among buying and sellingparties. Among the most important are representations and warranties (“repsand warranties”) and indemnities. Reps and warranties are assurances madeby one party that are intended to provide certainty to the other party thatrelies on them. For example, a hypothetical software company (“SoftcoSupplier”) may represent and warrant that it owns all of the intellectualproperty rights in the software it sells. If Softco Supplier does not in factown all of the intellectual property rights in the software, the buyer (“SoftcoBuyer”) has a right to claim damages for Softco Supplier’smisrepresentation.

However, in many instances it isimpossible for contracting parties to fully guarantee the accuracy of astatement. In these cases, parties opt to provide reps and warranties that arequalified by the knowledge of the party providing them. These types of reps andwarranties can be problematic from the perspective of the party that seeks torely on them. We will return to this in the following section, whichspecifically deals with the application of reps and warranties, and indemnitiesto open source.

Indemnities provide securityagainst losses that are triggered by the occurrence of contractually specifiedevents. Unlike reps and warranties, recovery from indemnities is not contingentupon whether a misrepresentation was made. In our example, if Softco Supplier(the “indemnitor”) indemnifies Softco Buyer (the “indemnitee”)for any intellectual property infringement claims against the software beingsold, then in the event that such claims arise, Softco Supplier is obligated tocompensate Softco Buyer for its losses.

Reps and Warranties vs. Indemnities in an Open Source World

In the software procurementcontext, it is important for buyers to determine whether open source code isincorporated into the software that is being purchased. The primary reason forthis is that open source license obligations are binding. Failure to complycould have a diminishing impact on software value, as some open source cannotbe mixed into products that have trade secret value. Additionally, if a buyerpurchases software without the knowledge that it includes open source, thebuyer runs the risk of commercializing the product in a manner that violatesthe license that covers the open source code. This can leave the buyer exposedto costly intellectual property infringement claims.

The recent focus on open sourcereps and warranties and indemnification is linked to the growing instances ofintellectual property infringement claims involving open source software. Ascourts in the United States, Germany and elsewhere have acknowledged theenforceability of open source licenses, notable violators have succumbed tocostly settlements, and enforcement organizations such as the Free SoftwareFoundation have become more aggressive in launching suits.

Because of the immense financialand legal implications of intellectual property infringement suits, a softwarebuyer will often require its supplier to represent and warrant that thesoftware being purchased does not contain any open source code. If open sourceis later discovered in the software, then the buyer is entitled to seek damagesfrom the supplier for the breach of the representation. However, as mentionedearlier, it is often difficult for contracting parties to fully attest to theaccuracy of a representation. This situation arises in instances in which thecontracting party experiences knowledge gaps. In these cases, a contractingparty will seek to limit its liability by narrowing the representation to applyto the knowledge that it possesses. Taking our earlier example, if SoftcoSupplier had acquired code from a third party, or engaged in outsourcing ofprogramming, it may not be positioned to fully attest to the fact that thesoftware it sells does not contain any open source. As a result, SoftcoSupplier will represent and warrant that ‘to the best of its knowledge, opensource is not incorporated into the product’. In this case, Softco Buyer isonly entitled to damages if it can show that Softco Supplier knew that itsrepresentation was untrue at the time that it was made. If this fact cannot beestablished, Softco Buyer is left without a remedy for any losses arising fromSoftco Supplier’s misrepresentation.

Unlike reps and warranties,recovery from indemnities is not contingent upon whether a misrepresentationwas made. Thus, if Softco Supplier indemnified Softco Buyer for open sourceinfringement claims against the software, then Softco Supplier would beobligated to fully cover the losses arising out of any such claims. In thiscase, it would be irrelevant whether Softco Supplier had knowledge of thepresence of open source, as liability is triggered by the occurrence of thecontractually specified event (the presence of open source) rather than themisrepresentation made by Softco Supplier.

Buyer’s Duty

Another important distinctionbetween reps and warranties and indemnities in our example is in relation tothe duty imposed on Softco Buyer to mitigate its own loss. Common law imposes arequirement on parties relying on reps and warranties to take action tomitigate their own losses. In the context of open source reps and warranties,once a software buyer becomes aware that open source is embedded in thesoftware, the buyer must take action to minimize its loss, for example byimmediately replacing the code, or making the code freely available. Incontrast, there is no parallel requirement for the beneficiaries of indemnitiesto mitigate their own losses.

Software Audit Can Minimize Exposure

Although open source reps andwarranties and indemnities can provide software purchasers with remedies forlosses arising from intellectual property infringement suits, they cannotshelter the buyer from being sued in the first place, or from experiencing theloss of goodwill in relation to litigation. As a result, reps and warrantiesand indemnities should not be regarded as due diligence replacements. Ratherthan taking the risk of open source surprises, software purchasers can engage resources(internal or external) that have the ability to analyze software to determinethe presence of open source prior to executing the purchase.

A software audit entails codescanning aimed at detecting third party and open source code. After the scanningstage, the purchaser is provided with an audit report detailing the identifiedcode and associated license obligations. Performing such audits at thepre-purchase stage allows the buyer to understand whether the licenseobligations of the open source code are in line with the intellectual propertypolicies of its organization, and if not, then the buyer is positioned torequest the supplier to replace the code in question, or to engage an alternatesupplier.

Software Audit in the Supply Chain

One of the contexts in whichsoftware audits are particularly beneficial is in the supply chain. Shortlyafter Cisco acquired Linksys in 2003, it was faced with an infringement suitrelating to the use of GPL covered code in its router firmware. It turned out thatthe infringing chipset was provided to Linksys by Broadcom, which in turnoutsourced the development to a third party. As a part of the settlement thatwas reached, Cisco was forced to make the infringing source code freelyavailable on its website, appoint an open source compliance officer, and make amonetary contribution to the Free Software Foundation. As the Cisco casesuggests, software audits can be a helpful tool at the pre-purchase stage whendealing with a supply chain context in which the immediate supplier has littlecontrol or knowledge over the code pedigree of the final product.

Review of Available Contractual Tools

Software purchasers havecontractual tools (reps and warranties, and indemnities) at their disposal toprotect their organizations from open source liabilities; however it isimportant to remember that not all tools provide equal protection. While repsand warranties can provide the buyer with a remedy against misrepresentation,in instances where these assurances are qualified by the knowledge of thesupplier, the buyer may be left without recourse. From this perspective,indemnities offer increased protection to software purchasers concerned aboutintellectual property infringement claims in relation to the use of open source.

Open source indemnities are alsobeneficial in comparison with reps and warranties, as they do not impose anobligation upon the party relying on them to take any action to minimize theirown losses in the event of a breach.

Although open source reps andwarranties and indemnities can provide software purchasers with means ofrecovery from intellectual property infringement claims, these contractualmeasures provide for an imperfect after-the-fact solution to a problem thatlends itself well to management practices that would reduce the risk in thefirst place. Structured open source license management practices and softwareaudits aimed at identifying third party and open source code and ensuring opensource compliance, provide an optimal level of protection. These tools providecertainty regarding code pedigree, and enable software purchasers to avoid thenegative consequences arising from intellectual property infringement suits.

devx-admin

devx-admin

Share the Post:
Bold Evolution

Intel’s Bold Comeback

Grace Phillips September 21, 2023

Intel, a leading figure in the semiconductor industry, has underperformed in the stock market over the past five years, with shares dropping by 4% as

Semiconductor market

Semiconductor Slump: Rebound on the Horizon

Jordan Williams September 21, 2023

In recent years, the semiconductor sector has faced a slump due to decreasing PC and smartphone sales, especially in 2022 and 2023. Nonetheless, as 2024

Learn Web Security

An Easy Way to Learn Web Security

Johannah Lopez September 21, 2023

The Web Security Academy has recently introduced new educational courses designed to offer a comprehensible and straightforward journey through the intricate realm of web security.

Military Drones Revolution

Military Drones: New Mobile Command Centers

Johannah Lopez September 21, 2023

The Air Force Special Operations Command (AFSOC) is currently working on a pioneering project that aims to transform MQ-9 Reaper drones into mobile command centers

Tech Partnership

US and Vietnam: The Next Tech Leaders?

Grace Phillips September 21, 2023

The US and Vietnam have entered into a series of multi-billion-dollar business deals, marking a significant leap forward in their cooperation in vital sectors like

Bold Evolution

Intel’s Bold Comeback

Grace Phillips September 21, 2023

Intel, a leading figure in the semiconductor industry, has underperformed in the stock market over the past five years, with shares dropping by 4% as opposed to the 176% return

Semiconductor market

Semiconductor Slump: Rebound on the Horizon

Jordan Williams September 21, 2023

In recent years, the semiconductor sector has faced a slump due to decreasing PC and smartphone sales, especially in 2022 and 2023. Nonetheless, as 2024 approaches, the industry seems to

Elevated Content Deals

Elevate Your Content Creation with Amazing Deals

Noah Nguyen September 21, 2023

The latest Tech Deals cater to creators of different levels and budgets, featuring a variety of computer accessories and tools designed specifically for content creation. Enhance your technological setup with

Learn Web Security

An Easy Way to Learn Web Security

Johannah Lopez September 21, 2023

The Web Security Academy has recently introduced new educational courses designed to offer a comprehensible and straightforward journey through the intricate realm of web security. These carefully designed learning courses

Military Drones Revolution

Military Drones: New Mobile Command Centers

Johannah Lopez September 21, 2023

The Air Force Special Operations Command (AFSOC) is currently working on a pioneering project that aims to transform MQ-9 Reaper drones into mobile command centers to better manage smaller unmanned

Tech Partnership

US and Vietnam: The Next Tech Leaders?

Grace Phillips September 21, 2023

The US and Vietnam have entered into a series of multi-billion-dollar business deals, marking a significant leap forward in their cooperation in vital sectors like artificial intelligence (AI), semiconductors, and

Huge Savings

Score Massive Savings on Portable Gaming

Lila Anderson September 21, 2023

This week in tech bargains, a well-known firm has considerably reduced the price of its portable gaming device, cutting costs by as much as 20 percent, which matches the lowest

Cloudfare Protection

Unbreakable: Cloudflare One Data Protection Suite

Jordan Williams September 21, 2023

Recently, Cloudflare introduced its One Data Protection Suite, an extensive collection of sophisticated security tools designed to protect data in various environments, including web, private, and SaaS applications. The suite

Drone Revolution

Cool Drone Tech Unveiled at London Event

Noah Nguyen September 21, 2023

At the DSEI defense event in London, Israeli defense firms exhibited cutting-edge drone technology featuring vertical-takeoff-and-landing (VTOL) abilities while launching two innovative systems that have already been acquired by clients.

2D Semiconductor Revolution

Disrupting Electronics with 2D Semiconductors

Grace Phillips September 20, 2023

The rapid development in electronic devices has created an increasing demand for advanced semiconductors. While silicon has traditionally been the go-to material for such applications, it suffers from certain limitations.

Cisco Growth

Cisco Cuts Jobs To Optimize Growth

Lila Anderson September 20, 2023

Tech giant Cisco Systems Inc. recently unveiled plans to reduce its workforce in two Californian cities, with the goal of optimizing the company’s cost structure. The company has decided to

FAA Authorization

FAA Approves Drone Deliveries

Jordan Williams September 20, 2023

In a significant development for the US drone industry, drone delivery company Zipline has gained Federal Aviation Administration (FAA) authorization, permitting them to operate drones beyond the visual line of

Mortgage Rate Challenges

Prop-Tech Firms Face Mortgage Rate Challenges

Noah Nguyen September 20, 2023

The surge in mortgage rates and a subsequent decrease in home buying have presented challenges for prop-tech firms like Divvy Homes, a rent-to-own start-up company. With a previous valuation of

Lighthouse Updates

Microsoft 365 Lighthouse: Powerful Updates

Johannah Lopez September 20, 2023

Microsoft has introduced a new update to Microsoft 365 Lighthouse, which includes support for alerts and notifications. This update is designed to give Managed Service Providers (MSPs) increased control and

Website Lock

Mysterious Website Blockage Sparks Concern

Grace Phillips September 20, 2023

Recently, visitors of a well-known resource website encountered a message blocking their access, resulting in disappointment and frustration among its users. While the reason for this limitation remains uncertain, specialists

AI Tool

Unleashing AI Power with Microsoft 365 Copilot

Lila Anderson September 20, 2023

Microsoft has recently unveiled the initial list of Australian clients who will benefit from Microsoft 365 (M365) Copilot through the exclusive invitation-only global Early Access Program. Prominent organizations participating in

Microsoft Egnyte Collaboration

Microsoft and Egnyte Collaboration

Jordan Williams September 20, 2023

Microsoft has revealed a collaboration with Egnyte, a prominent platform for content cooperation and governance, with the goal of improving real-time collaboration features within Microsoft 365 and Microsoft Teams. This

Best Laptops

Top Programming Laptops of 2023

Noah Nguyen September 20, 2023

In 2023, many developers prioritize finding the best laptop for programming, whether at home, in the workplace, or on the go. A high-performing, portable, and user-friendly laptop could significantly influence

Renaissance Gaming Magic

AI Unleashes A Gaming Renaissance

Johannah Lopez September 20, 2023

In recent times, artificial intelligence has achieved remarkable progress, with resources like ChatGPT becoming more sophisticated and readily available. Pietro Schirano, the design lead at Brex, has explored the capabilities

New Apple Watch

The New Apple Watch Ultra 2 is Awesome

DevX-Admin September 19, 2023

Apple is making waves in the smartwatch market with the introduction of the highly anticipated Apple Watch Ultra 2. This revolutionary device promises exceptional performance, robust design, and a myriad

Truth Unveiling

Unveiling Truths in Bowen’s SMR Controversy

Lila Anderson September 19, 2023

Tony Wood from the Grattan Institute has voiced his concerns over Climate and Energy Minister Chris Bowen’s critique of the Coalition’s support for small modular nuclear reactors (SMRs). Wood points

Avoiding Crisis

Racing to Defy Looming Financial Crisis

Jordan Williams September 19, 2023

Chinese property developer Country Garden is facing a liquidity challenge as it approaches a deadline to pay $15 million in interest associated with an offshore bond. With a 30-day grace

Open-Source Development

Open-Source Software Development is King

Noah Nguyen September 19, 2023

The increasingly digital world has led to the emergence of open-source software as a critical factor in modern software development, with more than 70% of the infrastructure, products, and services

Home Savings

Sensational Savings on Smart Home Security

Johannah Lopez September 19, 2023

For a limited time only, Amazon is offering massive discounts on a variety of intelligent home devices, including products from its Ring security range. Running until October 2 or while

Apple Unleashed

A Deep Dive into the iPhone 15 Pro Max

Grace Phillips September 19, 2023

Apple recently unveiled its groundbreaking iPhone 15 Pro and iPhone 15 Pro Max models, featuring a revolutionary design, extraordinary display technology, and unrivaled performance. These new models are the first

Show More