Buyer and Seller Perspectives on Open

Source in Tech ContractsDavid Tollen, Tech Contracts Academy

Phil Odence, Black Duck Software

Speakers

David TollenFounder & TrainerTech Contracts AcademyFounder and AttorneySycamore Legal, P.C.

Phil OdenceVP and General ManagerBlack Duck Software

Intro

Trends in Software and Open Source

4

Virtually all Global 2000 companies use open source to run critical infrastructure. - Gartner

Open Source Has Blown Past the Tipping Point

Open Source Projects (Millions)

2.5

0.10.2

0.5

1.5

1.0

2007 2009 2011 2013 2015 2017

Your Clients Use Open Source

22% of applications had>50% open source

Source: BD 2017 OSSRA Study

5

Basic Challenge:OSS Often Enters a Code Base Unchecked

Code BaseCommercial

3rd PartyCode

Purchasing• Licensing?• Security?•Quality?• Support?

Open Source

OPERATIONAL RISKWhich versions of code are being used, and how old are they

LEGAL RISKWhich licenses are used and do they match anticipated use of the code

SECURITY RISKWhich components have vulnerabilities and what are they

Management visibility…not!

6

Using OSS is Not a Free Lunch…

…internal governance maximizes OSS benefits while managing the risks

7

Understanding OSS in Contracts: AgendaA. Open Source in General

§ Types of Open Source Licenses

§ How Copyleft Works

§ Security Concerns

B. Clauses Impacted

1. “Magical” Open Source Guarantee

2. IP Indemnity

3. IP Warranty

4. Limit of Liability

5. Security and Data Protection Terms

6. Security and Data Protection Indemnity

7. Attribution/Compliance warranty

• THE TECH CONTRACTS HANDBOOK: Software Licenses, Cloud Computing Agreements, and Other IT Contracts, for Lawyers and Businesspeople, Second Edition, by David W. Tollen (ABA Publishing 2015)

• TechContracts.com: form contracts, sample language, articles, & other resources – free – www.TechContracts.com

• Tech Contracts Academy™: training on drafting and negotiating IT contracts, for lawyers and businesspeople – www.TechContracts.com

• Sycamore Legal, P.C.®: legal services, including coaching/advice for in-house counsel – www.SycamoreLegal.com

Resources

A. Open SourceIn General

Software licensed with:

1. access to source code; and

2. the right to modify and redistribute.

Open Source Licenses

Permissive Open Source Licenses

No significant restriction on licensee right to redistribute – BSD, MIT

Copyleft Open Source Licenses

Requirement that redistribution use the open source model

• Strong Copyleft (“viral”): all derivative/modified code must use OSS model – GPL; even provision of SaaS may need OSS model – AGPL

• Weak Copyleft: only original code/library must use OSS model –CDDL, MPL, LGPL

Types of OSS/Licenses

• The problem: everyone gets access to the code, including hackers

• Heavily disputed in the OSS community – not our problem here

• The Solution: data security terms, as in any other IT contract (but maybe more)

Security of OSS (or lack thereof)

B. Contract Clauses

Impacted

1. “Magical” Open Source Guarantees

• Promise that the code won’t include OSS: “Yeah, right.”

• Promise that the code won’t include copyleft or strong copyleft: better

• View this instead as an issue for typical IT contract clauses, like warranty, indemnity, data security: best

Typical IP indemnity should already cover copyleft claims

• Licensee can improve by specifying indemnity for “claims re restrictions on Distributor’s right to distribute the Licensed Program, or any modification thereof: (a) for a fee, (b) with or without source code or source code rights, or (c) with such restrictions as Distributor sees fit to place on its customers’ modification or distribution rights”

• But what happens if the vendor loses the suit?

2. IP Indemnity

Typical (from the Handbook)

“Vendor represents and warrants that it is the owner of the System and of each and every component thereof, or the recipient of a valid license thereto, and that it has and will maintain the full power and authority to grant the intellectual property and other rights granted in this Agreement without the further consent of any third party.”

Copyleft-specific (from the Handbook)

“Vendor represents and warrants that the Licensed Program does not include software subject to any legal requirement that would restrict Distributor’s right to distribute the Licensed Program, or any modification thereof: (a) for a fee, (b) with or without source code or source code rights, or (c) with such restrictions as Distributor sees fit to place on its customers’ modification or distribution rights.”

3. IP Warranty

Refund won’t make the licensee whole• No restriction on warranty

remedies?• Cost of remediation as a remedy?• Consequential damages as a

remedy?

This becomes a limit of liability issue.

Warranty Remedies

Adjusting the standard terms:

q Higher dollar cap (3x, 5x, 10x, etc.)

q Consequential damages allowed

Adding restrictions:

q Intentional wrongdoing unlimited: might protect licensee

q Gross negligence unlimited: very little protection for licensee

4. Limit of Liability

Standard Data Security Terms

• Don’t use an NDA!

• Data Management and Data Security terms (see the Handbook) – including:ü Audits

ü Obligations to fix vulnerabilities

ü Specifications for data security

Special OSS Terms:• Obligation to disclose OSS• Obligation to monitor OSS “out

in the world”• OR, vendor disclaimer of any

obligation for OSS

5. Security & Typical Data Protection Terms

This is tricky, since it’s hard to know which party should be responsible for a data breach (unlike an IP claim).

• Vendor indemnifies all data breaches

• Vendor indemnifies all data breaches related to OSS

• Vendor indemnifies if it’s at fault

• Licensee indemnifies all data breaches (except maybe re OSS)

• Whoever’s computers were breached indemnifies

• No data breach indemnity

6. Security & Data Protection Indemnity

q Typical IP Warranty: should cover it

q Clearer Attribution Warranty: “Vendor represents and warrants that all software included in the System includes attribution to third party vendors as required by such licenses.”

7. Attribution/Compliance Warranty

Thank you to Pixabay for several of these graphics: www.Pixabay.com