[email protected]
Mon - Fri 09:00-17:00
[email protected]
Mon - Fri 09:00-17:00

Lower your risk from open-source free software in three steps

As a founder or key player in a start-up, ask if you and your organization are ready for the next big sale, funding round, or acquisition?  Tracking your intangible assets and liabilities helps. Specially, it is beneficial to track the Open-Source Free Software (OSFS) components you use in your software. Lower your risks with awareness, records, and procedures.

Defining open-source free software

The terms open-source and free get used without explanation. So here are some working definitions for Free Open-Source Software (FOSS) or Open-Source Free Software (OSFS).

Open source means you can read the source code

The public can access the source code of open-source software. Open-source software may be developed in a collaborative public manner. However, this isn’t guaranteed. Some commercial software is open-source and released under a “free” licence. 

Free has many meanings

Free can be a deceptive term much “democratic” in the name of a country. The Democratic People’s Republic of Korea and the German Democratic Republic aren’t examples of free places. Lots of free software comes with all sorts of restrictions of its use. However, generally, it is of high quality and delivered free – gratis, no charge. So it is free like a puppy. 

A photograph of a puppy.  Used to illustrate the risks in open source free software which can be free like a puppy.
Open-source free software can be free like a puppy.

Free software is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software or its source code but also restricts the same actions. The license may further require you to waive certain IP rights and grant licences to patents or trademarks. The proponents of OSFS rarely emphasize the restrictions, waivers, and agreements to give away your IP. 

What are the benefits with open-source free software?

There are many benefits to using this software including lower costs, high quality, and standard practice. The first two are self-explanatory. The last one is important. Often OSFS is the standard. Consider how many companies use software like Apache, Docker, Git, Linux, MySQL, Node.js, and Selenium.

What are the problems with open-source free software?

Open-source free software is everywhere, and most companies depend on software like Linux or Git. But OSFS comes with some risks. The impact of which is loss of your company.  

There are three risks with open-source free software: 

  • culture,
  • security, and
  • legal.

Developers learn software could be given away for free. They then work to weaken the IP rights of their employers.  This is a dangerous mindset for which you can thank the leaders of the free software movement; people who don’t need to sell software to earn a wage.

Consider the security risks that come from OSFS. Anyone can view the code to learn its vulnerabilities. Some actors manipulate the code by inserting malicious code or excluding fixes to exploitable bugs. There is no guarantee of the testing done to OSFS.  The support missing or minimal so it takes time to learn of an issue and fix it yourself. For more see Canadian Centre for Cyber Security, 2020 Security considerations when using open source software Document ITSAP.10.059, Link.

You face many legal risks when using open-source free software. You must abide by the licence for the software you use. This includes the third-party software your organization in-licences which includes commercial software and open-source free software.

The copyleft symbol. The mirror reverse of the copyright symbol. Used to illustrate the risks in open source free software.
The copyleft symbol is the mirror of the one for copyright. Understand what this symbol means before using copyleft code.

You are bound by the terms of the licence and if you are in breach there can be trouble.  Viral licences present the most serious consequence.  If you trigger the conditions of a viral licence or copyleft licence you have to make your code open source and distribute it under such a licence. This is a big impact that is an existential threat to most small companies. Sometimes a copyleft licence requires you to waive IP rights or agree to license rights like a patent or trademark. Again, a big impact.  

Good news

There is, however, good news. Just using viral open-source free software doesn’t automatically trigger the onerous parts of the licence. For example, the GNU Public License is only triggered in certain situations. As well, there are many non-virial licences. For example, the MIT licence is quite permissive. 

Taking action as part of IP management 

Now that you have awareness of OSFS consider how it can sink a deal. Buyers and investors look at OSFS in their due diligence. Help yourself by being able to share what components are in your software. So, keep good records. Impress others by having a proper management process for all third-party software. 

Generating records

You can create the records manually or automatically. The automated systems are commercial and which to use depends on the nature of your software, business, and the transaction.  The point is you have records to share if requested.

Automated tools

Retroactively finding all the third-party code is hard. One issue is transitive dependencies mean something might not get listed. A second is “licence masking” where the licence you found is real a mask for the real licence. Therefore, you may want to use a product that scans your code for third party software. 

Manual tracking

Even if you use an automated system keep an export that you can edit as a manually maintained list. With this practice you aren’t tied to any vendor. 

It is easy for you to build a list of components as you go. The record schema is simple — one main table, dozen columns, normalization optional. There are three thousand or so OSFS licences, only twenty are common.  All it takes is one shared spreadsheet or CSV file in a revision control system. You may also want to track the existence of the spreadsheet in your intangible asset management system. 

Manual lists are great for supporting your approval process. 

Have a management process to reduce your risk

Set up an approval process for use of third-party code. Developers use the process to request use of a library by providing details like name, licence, and how they plan to use the code. The approver reviews the request, applies advice received from a lawyer, or seeks new advice. 

A block of python code including colored text on black background. Used to illustrate a source code in general.  Used to illustrate complexity of open source free software.
Have a decision maker that can read the code.

Get advice on process and specific risks. It is impossible to give stock advice as to what code you should use and what you should avoid. Advice changes with facts. And actions depend on options and your risk tolerance. 

IP Management

This is part of our series on intellectual property management. You may be interested in:


We don’t provide legal advice on specific risks under contract or copyright law, but can introduce you to a lawyer that can. We can help you with education on risks, setting up a record keeping system or approval process. Please do contact us

Related Posts

We are using cookies to give you the best experience. You can find out more about which cookies we are using or switch them off in privacy settings.
AcceptPrivacy Settings