A Guide to Open-Source Licensing: Understanding the Risks within Software Escrow Agreements

Introduction

Open-source code refers to software code that is made freely available to the public. It is developed collaboratively by a community of software developers who contribute, review and improve upon the code. The fundamental principle behind open-source is transparency and openness. It encourages a culture of sharing and collaboration, promoting innovation and collective problem solving. Open-source projects typically provide access to their source code, allowing anyone to view, modify and distribute it for various purposes.

Open-source code is often governed by licences, such as popular GNU General Public License (GPL) or the MIT license, which outline the permissions and restrictions associated with its use.

This guide highlights some of the potential considerations and obligations related to open-source code in relation to software escrow services, M&A and compliance.

Obligations of open-source software licences

With the volume and ease of availability of access to third-party software components, libraries, frameworks and packages from sites such as GitHub, NPM and Maven, it is not uncommon for modern software applications to be composed of up to 90% third-party open-source software.

You can think of modern software development as a software supply chain. See figure below.

Open-source software supply chain

Figure: Open-Source software supply chain

However, although these third-party components which are freely available from multiple sources come with obligations. These obligations are defined by the terms of the licence. A delivered code base will include multiple third-party components each with their own licence(s) which results in multiple open-source licences to be complied with. Typically, obligations will include some or all the following:

1: Attribution and Notices – You may need to provide or retain copyright and licence text in the source code and/or product documentation or user interface, so that downstream users know the origin of the software and their rights under the licences.

2: Source code availability – You may need to provide source code for the open-source software, for modifications you make, for combined or linked software.

3: Reciprocity – You may need to maintain modified versions or derivative works under the same licence that governs the open-source software component.

4: Other terms – The open-source software licence may restrict use of the copyright holder name or trademark, may require modified versions to use a different name to avoid confusion, or may terminate upon any breach.

Because of the multitude of licences, variety of terms and the general lack of knowledge and guidance about licensing generates confusion which leads to decisions being made that could have a significant business risk to organisations such as IP infringement which could result in outcomes such as devaluing of a business and reputational damage.

Another challenge for software vendors leveraging open-source code is demonstrating to customers, prospective customers and partners that they can trust the open-source software supply chain behind their solutions. This lack of demonstrable trust could lead to commercial restrictions such as loss of revenue for the software vendors.

Risks of open-source code within Software Escrow agreements

The requirement for software escrow agreements is often included within software licence or SaaS licence agreements. This requirement obligates the software developer to deposit their application source code with a trusted source code escrow vendor. However, in the event of a trigger situation and the source code is transferred to the beneficiary to use to maintain their system, it may turn out that the source code has been misused by the developer resulting in the beneficiary to the escrow service being in breach of the licensing obligations by default. The beneficiary company could be exposed to such breaches even if they weren’t aware of the inclusion of open-source code within the code base which is a risk that could result in heavy legal issues for the beneficiary.

An example of a breach could result from copyleft licensing. Copyleft licences (the most common is GNU General Public License (GPL) impose certain conditions on the distribution and modification of the licenced software. The GPL allows users to freely use, modify, and distribute the licenced software, provided that any modifications or derivative works are also made available under the same copyleft terms.

To minimise the risk of breaching open-source and copyleft licensing obligations, it is recommended for beneficiaries to request an open-source code audit to provide an insight into what code is actually used within an application and if there may be any potential licensing breaches.

Why recommend an open-source code audit? How to avoid such risks?

There are some instances when an organisation may want to consider instructing an expert open-source auditing firm to perform an audit on their behalf to ensure good visibility into their open-source use. The reasons for your clients to use an open-source code audit are as follows:

1: Continuity – Software and SaaS escrow solutions assist with continuity of service. Clients should want to know what source code is used within the software they use. This ensures compliance should they ever need to operate the system and potentially be liable for  any licensing obligations. 

2: Investment – The opportunity to invest in a software or SaaS company may be tempting for some investors. Before investing your client needs to ensure that the IP of the company is actually owned by that company and does not contain open-source code which may have a negative effect on the value of the company.

3: Acquisition (M&A) – Open-source code audits are commonly used during an M&A process. The reason for this is that the buyer gets an understanding of their potential legal exposure from licensing issues For example, if open-source code with a GPL licence exists within the code base, this will most likely be problematic. This can also help with valuing the investment/purchase.

4: Outsourced Developer – If your client subcontracts software development to a third-party developer, you may advise them to request assurances or warranties that the codebase does not contain any open-source code or to understand where open source code has been used to limit any potential exposure.

5: Security – The use of open-source code comes with security risks as the code is available to the public. Hackers can use this code to seek out and exploit vulnerabilities that may exist. Research has shown that 78% of audited codebases contained at least one open-source vulnerability, of which 54% were high-risk ones that hackers could exploit. The Log4j breach highlights the inherent risks of open-source code embedded within IT systems. An open-source code audit and implementing a policy of maintaining a Software Bill of Materials (SBOM) will assist in identifying known vulnerabilities in a codebase.

6: Compliance – Third party software regulations has become increasingly important in various sectors globally. One notable example is the White House order that mandates the inclusion of a Software Bill of Materials (SBOM) in certain software systems. A SBOM is a comprehensive inventory of the components and dependencies used in a software application. This order emphasizes transparency and accountability, as it enables organisations to understand the composition of their software and assess potential vulnerabilities or licensing issues.

##

About Escrow London

Escrow London is a global software and SaaS escrow company with offices in London, UK, Atlanta, USA, and Sydney, Australia.

We have invested considerable resources into innovation to reinvent software escrow for a SaaS world. Escrow London provides a range of SaaS Continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud hosted SaaS applications. We support a wide range of clients includes major law firms, banks, central banks, insurance companies, technology companies and government organisations.

To find out more about Software Escrow and SaaS Escrow, visit our YouTube channel.