Open source software (OSS) is everywhere. It is found not only in conventional software, but also in many IT components: in the automotive industry, consumer electronics and medical technology. Wherever software is used, open source software is often present as well. Open source is also deployed in industrial machinery, IoT devices and in critical infrastructure, such as in control units of embedded systems.
The majority of companies in Germany consciously use open source software.1 In many cases, however, open source software is deployed unnoticed in the background. It isn’t possible to tell from a product which software components it contains – it just works. That could be a problem for companies: open source software may be freely used and adapted, but it is not software that is outside the law. Just like proprietary software, open source software is subject to licence conditions that must be complied with. Failure to do so constitutes a breach of the licence. Non-compliance with the terms of the licence may result in losing the rights of use. This leads to the risk of claims for remedy and injunctive relief. Even a product recall could become necessary if licences are infringed.
Facts & figures on OSS
- > 100 licences for licensing OSS
- > 100,000 OSS components freely available
- 99% of the software audited in 2019 included OSS
- 70% of the software audited in 2019 consisted of OSS (2015: 36%)
- 95% of IT decision-makers consider OSS important
Seizing opportunities, controlling risks
Strategic open source management helps companies to benefit from open source software while controlling the risks. The open source software to be used should be selected on the basis of a thorough cost-benefit analysis. From a legal viewpoint, analysis will focus on a structured assessment of the open source licences, which need to be aligned with the deployment scenario and the company’s risk profile; this process is called mapping. As part of this exercise, the opportunities and risks of open source must be weighed against one another:
High potential savings
- Reduced time-to-market for software development due to availability of open source software components
- No licence costs for acquiring the software
- Freedom to use the software and develop it (reduced vendor lock-in)
- Use of standard solutions, avoids costly in-house development; low dependence on individual experts
Security and motivation
- Typically high level of software security due to regular software updates by the OSS community
- Motivational effect on software developers, e.g. by contributing to OSS projects
- Ignorance of OSS licences used in the company
- High degree of legal complexity with more than 100 licences in use, with contradictory rules and conditions in some cases. Even minor breaches of licensing terms can have severe consequences
- Sales stop: the products in question may no longer be sold
- Product recall: products already sold may have to be recalled
- System unavailability: further use of the software is not permitted
- Loss of sales and reputational damage
IP and protection of secrets
- Copyleft: your company’s own licensing strategy may be incompatible with OSS
- Trade secrets: uncontrolled disclosure of your own software runs the risk of revealing trade secrets
- Liability of management, including possible criminal liability for copyright infringement
Our advisory services around open source
The experts in the CMS Digital Business Group provide support for legally compliant use of open source software. Through many years of advisory experience, we have acquired in-depth expertise in reviewing, assessing and classifying open source licences. We work closely with tool providers to identify the open source software used in your organisation. When assessing the licences, we can draw on our own database with the results from analysing more than 100 open source licences. As an OpenChain member, our advice is based on international standards, thereby helping you to avoid silo solutions.
Overview of our services
- Open source governance: We can help you to introduce an open source governance system. On the basis of your risk profile, we work with you to develop structures and processes that ensure compliance with open source licences, using our own tools (CMS Open Source Kit) and established standards (primarily OpenChain). We can also issue you with corresponding confirmation after successful rollout.
- OpenChain verification: As an OpenChain partner, we have deep familiarity with the international standard for open source compliance. We can assist you with self-certification in line with the OpenChain specification. If required, we can also issue a certificate (CMS OpenChain Compliance Verification) of OpenChain conformance, which you can show to third parties. We help you check your upstream suppliers and provide the results in the form of a report.
- Policies & agreements: We handle drafting of open source policies and ensure that they are rolled out across the company in compliance with legal requirements. We regularly advise on licence agreements relating to commercial use of open source software.
- M&A transactions: In the context of M&A transactions, particularly when the sale of software is involved, we assist in identifying and mitigating risks while also clarifying warranty and liability issues. During transactions, we work closely with IT partners to identify OSS in the target firm. A software scan can be used to identify (unknown) OSS and assess it in terms of risks for the transaction.
- Training: Our training courses on using open source software are aimed at in-house counsel, compliance officers and software developers. On request, training sessions can be conducted and documented online. Our CMS Training product allows tracking and performance review.
- Dispute resolution: In the event of disputes, especially warnings resulting from a breach of open source compliance, we can provide representation in and out of court.
CMS Open Source Kit
We have developed a modular system that allows companies to stay on top of open source compliance: the CMS Open Source Kit (OSK) brings together legal tech and tailored legal advice. It combines a technical workstream (use of a database containing standardised evaluations of more than 100 open source licences) with highly specialised legal advice geared to the client’s particular needs.
OSK is suitable for performing the following tasks quickly via automated techniques:
- Mapping: Aligning OSS deployment scenarios in the organisation with compatible licences. The licences corresponding to the company’s use case and risk profile are determined on the basis of specific parameters and presented in transparent fashion.
- Risk assessment: Based on a standardised assessment of various risk dimensions, different degrees of risk can be identified (rather than just a yes/no assessment).
- Blacklists/whitelists: Generating lists of licences that match the company’s risk profile.
- Compliance check: Generating checklists to verify compliance of all licences in the database.
- Documentation: Providing templates to show the company’s specific licence obligations and document licence compliance.
The CMS Open Source Kit features a modular design. The results can be integrated into existing toolchains and standard processes.
Would you like to find out more about innovative ways of ensuring efficient open source compliance? Please feel free to get in touch at any time.
1 Bitkom Open Source Monitor 2019, p. 15, companies with 100 employees or more.