Buyer and Seller Perspectives on Open Source in Tech Contracts
-
Upload
black-duck-software -
Category
Technology
-
view
69 -
download
5
Transcript of Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open
Source in Tech ContractsDavid Tollen, Tech Contracts Academy
Phil Odence, Black Duck Software
Speakers
David TollenFounder & TrainerTech Contracts AcademyFounder and AttorneySycamore Legal, P.C.
Phil OdenceVP and General ManagerBlack Duck Software
Intro
Trends in Software and Open Source
4
Virtually all Global 2000 companies use open source to run critical infrastructure. - Gartner
Open Source Has Blown Past the Tipping Point
Open Source Projects (Millions)
2.5
0.10.2
0.5
1.5
1.0
2007 2009 2011 2013 2015 2017
Your Clients Use Open Source
22% of applications had>50% open source
Source: BD 2017 OSSRA Study
5
Basic Challenge:OSS Often Enters a Code Base Unchecked
Code BaseCommercial
3rd PartyCode
Purchasing• Licensing?• Security?•Quality?• Support?
Open Source
OPERATIONAL RISKWhich versions of code are being used, and how old are they
LEGAL RISKWhich licenses are used and do they match anticipated use of the code
SECURITY RISKWhich components have vulnerabilities and what are they
Management visibility…not!
6
Using OSS is Not a Free Lunch…
…internal governance maximizes OSS benefits while managing the risks
7
Understanding OSS in Contracts: AgendaA. Open Source in General
§ Types of Open Source Licenses
§ How Copyleft Works
§ Security Concerns
B. Clauses Impacted
1. “Magical” Open Source Guarantee
2. IP Indemnity
3. IP Warranty
4. Limit of Liability
5. Security and Data Protection Terms
6. Security and Data Protection Indemnity
7. Attribution/Compliance warranty
• THE TECH CONTRACTS HANDBOOK: Software Licenses, Cloud Computing Agreements, and Other IT Contracts, for Lawyers and Businesspeople, Second Edition, by David W. Tollen (ABA Publishing 2015)
• TechContracts.com: form contracts, sample language, articles, & other resources – free – www.TechContracts.com
• Tech Contracts Academy™: training on drafting and negotiating IT contracts, for lawyers and businesspeople – www.TechContracts.com
• Sycamore Legal, P.C.®: legal services, including coaching/advice for in-house counsel – www.SycamoreLegal.com
Resources
A. Open SourceIn General
Software licensed with:
1. access to source code; and
2. the right to modify and redistribute.
Open Source Licenses
Permissive Open Source Licenses
No significant restriction on licensee right to redistribute – BSD, MIT
Copyleft Open Source Licenses
Requirement that redistribution use the open source model
• Strong Copyleft (“viral”): all derivative/modified code must use OSS model – GPL; even provision of SaaS may need OSS model – AGPL
• Weak Copyleft: only original code/library must use OSS model –CDDL, MPL, LGPL
Types of OSS/Licenses
• The problem: everyone gets access to the code, including hackers
• Heavily disputed in the OSS community – not our problem here
• The Solution: data security terms, as in any other IT contract (but maybe more)
Security of OSS (or lack thereof)
B. Contract Clauses
Impacted
1. “Magical” Open Source Guarantees
• Promise that the code won’t include OSS: “Yeah, right.”
• Promise that the code won’t include copyleft or strong copyleft: better
• View this instead as an issue for typical IT contract clauses, like warranty, indemnity, data security: best
Typical IP indemnity should already cover copyleft claims
• Licensee can improve by specifying indemnity for “claims re restrictions on Distributor’s right to distribute the Licensed Program, or any modification thereof: (a) for a fee, (b) with or without source code or source code rights, or (c) with such restrictions as Distributor sees fit to place on its customers’ modification or distribution rights”
• But what happens if the vendor loses the suit?
2. IP Indemnity
Typical (from the Handbook)
“Vendor represents and warrants that it is the owner of the System and of each and every component thereof, or the recipient of a valid license thereto, and that it has and will maintain the full power and authority to grant the intellectual property and other rights granted in this Agreement without the further consent of any third party.”
Copyleft-specific (from the Handbook)
“Vendor represents and warrants that the Licensed Program does not include software subject to any legal requirement that would restrict Distributor’s right to distribute the Licensed Program, or any modification thereof: (a) for a fee, (b) with or without source code or source code rights, or (c) with such restrictions as Distributor sees fit to place on its customers’ modification or distribution rights.”
3. IP Warranty
Refund won’t make the licensee whole• No restriction on warranty
remedies?• Cost of remediation as a remedy?• Consequential damages as a
remedy?
This becomes a limit of liability issue.
Warranty Remedies
Adjusting the standard terms:
q Higher dollar cap (3x, 5x, 10x, etc.)
q Consequential damages allowed
Adding restrictions:
q Intentional wrongdoing unlimited: might protect licensee
q Gross negligence unlimited: very little protection for licensee
4. Limit of Liability
Standard Data Security Terms
• Don’t use an NDA!
• Data Management and Data Security terms (see the Handbook) – including:ü Audits
ü Obligations to fix vulnerabilities
ü Specifications for data security
Special OSS Terms:• Obligation to disclose OSS• Obligation to monitor OSS “out
in the world”• OR, vendor disclaimer of any
obligation for OSS
5. Security & Typical Data Protection Terms
This is tricky, since it’s hard to know which party should be responsible for a data breach (unlike an IP claim).
• Vendor indemnifies all data breaches
• Vendor indemnifies all data breaches related to OSS
• Vendor indemnifies if it’s at fault
• Licensee indemnifies all data breaches (except maybe re OSS)
• Whoever’s computers were breached indemnifies
• No data breach indemnity
6. Security & Data Protection Indemnity
q Typical IP Warranty: should cover it
q Clearer Attribution Warranty: “Vendor represents and warrants that all software included in the System includes attribution to third party vendors as required by such licenses.”
7. Attribution/Compliance Warranty
Thank you to Pixabay for several of these graphics: www.Pixabay.com