Black Duck and Tech Contracts Academy discussed the implications of open source software in tech contracts. The topic of open source has been at the forefront of the technology industry for many years, but as the use of open source in commercial applications explodes, so do concerns about addressing license and ownership issues in contract negotiations.
David Tollen is the founder of Tech Contracts Academy (www.TechContracts.com) and of Sycamore Legal P.C., in San Francisco. He’s the author of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople. He will dive into these topics from the perspective of both buyers and sellers and aims to educate on Intellectual Property (IP) protection and other terms and how they should work during contract negotiations.
Buyer and Seller Perspectives on Open Source in Tech Contracts
1. Buyer and Seller
Perspectives on Open
Source in Tech Contracts
David Tollen, Tech Contracts Academy
Phil Odence, Black Duck Software
2. Speakers
David Tollen
Founder & Trainer
Tech Contracts Academy
Founder and Attorney
Sycamore Legal, P.C.
Phil Odence
VP and General Manager
Black Duck Software
4. 4
Virtually all Global 2000 companies
use open source to run critical
infrastructure. - Gartner
Open Source Has Blown Past the
Tipping Point
Open Source Projects (Millions)
2.5
0.1
0.2
0.5
1.5
1.0
2007 2009 2011 2013 2015 2017
5. Your Clients Use Open Source
22% of
applications had
>50% open source
Source: BD 2017 OSSRA Study
5
6. Basic Challenge:
OSS Often Enters a Code Base Unchecked
Code Base
Commercial
3rd Party
Code
Purchasing
• Licensing?
• Security?
• Quality?
• Support?
Open Source
OPERATIONAL RISK
Which versions of code
are being used, and
how old are they
LEGAL RISK
Which licenses are
used and do they
match anticipated
use of the code
SECURITY RISK
Which components
have vulnerabilities
and what are they
Management
visibility…not!
6
7. Using OSS is Not a Free Lunch…
…internal governance maximizes OSS benefits while managing the
risks
7
8. Understanding OSS in Contracts: Agenda
A. Open Source in General
§ Types of Open Source Licenses
§ How Copyleft Works
§ Security Concerns
B. Clauses Impacted
1. “Magical” Open Source Guarantee
2. IP Indemnity
3. IP Warranty
4. Limit of Liability
5. Security and Data Protection Terms
6. Security and Data Protection Indemnity
7. Attribution/Compliance warranty
9. • THE TECH CONTRACTS HANDBOOK: Software Licenses, Cloud Computing
Agreements, and Other IT Contracts, for Lawyers and Businesspeople, Second
Edition, by David W. Tollen (ABA Publishing 2015)
• TechContracts.com: form contracts, sample language, articles, & other
resources – free – www.TechContracts.com
• Tech Contracts Academy™: training on drafting and negotiating IT contracts,
for lawyers and businesspeople – www.TechContracts.com
• Sycamore Legal, P.C.®: legal services, including coaching/advice for in-house
counsel – www.SycamoreLegal.com
Resources
11. Software licensed with:
1. access to source code; and
2. the right to modify and
redistribute.
Open Source Licenses
12. Permissive Open Source Licenses
No significant restriction on licensee
right to redistribute – BSD, MIT
Copyleft Open Source Licenses
Requirement that redistribution
use the open source model
• Strong Copyleft (“viral”): all
derivative/modified code must use
OSS model – GPL; even provision of
SaaS may need OSS model – AGPL
• Weak Copyleft: only original
code/library must use OSS model –
CDDL, MPL, LGPL
Types of OSS/Licenses
13. • The problem: everyone gets
access to the code, including
hackers
• Heavily disputed in the OSS
community – not our problem
here
• The Solution: data security
terms, as in any other IT
contract (but maybe more)
Security of OSS (or lack thereof)
15. 1. “Magical” Open Source Guarantees
• Promise that the code won’t include OSS: “Yeah,
right.”
• Promise that the code won’t include copyleft or
strong copyleft: better
• View this instead as an issue for typical IT contract
clauses, like warranty, indemnity, data security:
best
16. Typical IP indemnity should already cover copyleft claims
• Licensee can improve by specifying indemnity for “claims
re restrictions on Distributor’s right to distribute the
Licensed Program, or any modification thereof: (a) for a
fee, (b) with or without source code or source code
rights, or (c) with such restrictions as Distributor sees fit
to place on its customers’ modification or distribution
rights”
• But what happens if the vendor loses the suit?
2. IP Indemnity
17. Typical (from the Handbook)
“Vendor represents and warrants that
it is the owner of the System and of
each and every component thereof, or
the recipient of a valid license thereto,
and that it has and will maintain the
full power and authority to grant the
intellectual property and other rights
granted in this Agreement without the
further consent of any third party.”
Copyleft-specific (from the Handbook)
“Vendor represents and warrants that
the Licensed Program does not
include software subject to any legal
requirement that would restrict
Distributor’s right to distribute the
Licensed Program, or any modification
thereof: (a) for a fee, (b) with or
without source code or source code
rights, or (c) with such restrictions as
Distributor sees fit to place on its
customers’ modification or
distribution rights.”
3. IP Warranty
18. Refund won’t make the licensee whole
• No restriction on warranty
remedies?
• Cost of remediation as a remedy?
• Consequential damages as a
remedy?
This becomes a limit of liability issue.
Warranty Remedies
19. Adjusting the standard terms:
q Higher dollar cap (3x, 5x, 10x,
etc.)
q Consequential damages
allowed
Adding restrictions:
q Intentional wrongdoing
unlimited: might protect
licensee
q Gross negligence unlimited:
very little protection for
licensee
4. Limit of Liability
20. Standard Data Security Terms
• Don’t use an NDA!
• Data Management and Data
Security terms (see the
Handbook) – including:
ü Audits
ü Obligations to fix vulnerabilities
ü Specifications for data security
Special OSS Terms:
• Obligation to disclose OSS
• Obligation to monitor OSS “out
in the world”
• OR, vendor disclaimer of any
obligation for OSS
5. Security & Typical Data Protection Terms
21. This is tricky, since it’s hard to know which party should be
responsible for a data breach (unlike an IP claim).
• Vendor indemnifies all data breaches
• Vendor indemnifies all data breaches related to OSS
• Vendor indemnifies if it’s at fault
• Licensee indemnifies all data breaches (except maybe re
OSS)
• Whoever’s computers were breached indemnifies
• No data breach indemnity
6. Security & Data Protection Indemnity
22. q Typical IP Warranty: should cover
it
q Clearer Attribution Warranty:
“Vendor represents and warrants
that all software included in the
System includes attribution to
third party vendors as required
by such licenses.”
7. Attribution/Compliance Warranty
23. Thank you to Pixabay for several of these graphics: www.Pixabay.com