Key Legal Risks When Contracting For Open-Source Software

Open Source Software (“OSS”) has become a critical component of many modern applications and systems. Its widespread adoption is driven by cost savings, flexibility, and rapid innovation. However, OSS also presents distinct legal risks and considerations that must be addressed when contracting for its use, integration, or distribution. This article provides a practical overview of the key legal and commercial issues that legal and commercial teams should consider to ensure compliance and mitigate the risks associated with the use of OSS.

Understanding OSS and its licensing models

OSS refers to software where the source code is made publicly available (in other words, the source code is ‘open’), permitting users to use, modify, and distribute such source code. Unlike proprietary software, OSS is governed by a range of licences, each with distinct obligations and restrictions.

OSS licences generally fall into two categories: permissive and copyleft. Permissive licences allow broad use with minimal restrictions, while copyleft licences typically require derivative works to be distributed under the same licences terms. Some of the most common permissive OSS licences include the Apache License, MIT License and BSD License, and one of the most common copyleft licences is the GNU General Public License ("GPL").

Some OSS licences require users to provide proper attribution to the original authors, and non-compliance may trigger obligations to make derivative works publicly available under the same licence terms. This can result in the loss of key intellectual property rights in developed applications and software. It is therefore essential to understand the implications of each licence type to ensure compliance and avoid inadvertent breaches.

Key legal risks when contracting for OSS

Some of the key legal risks introduced through the use of OSS include:

• Licence compliance: Failure to comply with OSS licence terms can result in legal action, loss of rights to use the software, and reputational damage. Copyleft licences, for example, may require public disclosure of source code if OSS is modified or integrated into proprietary products.
• Intellectual property risks: OSS projects may contain code contributed by multiple parties, raising questions around provenance and ownership of the underlying intellectual property rights in such source code. There is also a risk that OSS may inadvertently include patented technology or code with unclear copyright status.
• Third-party code and dependencies: Many OSS projects rely on libraries and modules from other OSS projects, creating a complex network of dependencies. Each dependency may be subject to its own licence terms and obligations.
• Warranty and indemnity limitations: OSS is generally provided “as-is,” without warranties or indemnities. This means that if the software contains defects or vulnerabilities, the user may have limited recourse against the original developers or contributors.
• Security and data protection risks: OSS may be subject to less rigorous testing and quality control by the creators and contributors of the relevant OSS. This can expose users to security vulnerabilities, especially if the software is integrated into critical systems.
• Export control and regulatory compliance: In certain jurisdictions, OSS may be subject to export control laws or other regulatory requirements, for instance if such OSS contains encryption functionality.

Key contractual considerations

When contracting for OSS, whether for procurement, integration or distribution, legal teams should ensure that the relevant contract addresses, among other things, the following:

• Licence terms and obligations: Clearly identify all OSS components and their relevant licences. The contract should require compliance with all relevant licence obligations, including those triggered by modification or distribution.
• Supplier representations and warranties: Require suppliers to warrant and represent that OSS is properly licensed, free of undisclosed intellectual property claims, and does not infringe third-party rights.
• Audit and compliance rights: Include audit rights to verify OSS usage and compliance with applicable licence terms.
• Security and maintenance: Allocate responsibilities for security updates, vulnerability management, and ongoing maintenance. Specify how and when updates will be provided, and by whom.
• Termination and transition: Provide for termination arrangements and transition assistance, including ongoing compliance with OSS licence obligations following termination or expiry of the contract.
• Export and regulatory compliance: Require vendors to confirm compliance with applicable export control and regulatory requirements relating to the OSS, where relevant.

Practical Guidelines

The following practical steps can assist in mitigating risks associated with the use of OSS:

• Implement open source policies: Develop and enforce internal policies governing the acquisition, integration, and distribution of OSS.
• Conduct licence reviews: Regularly review OSS licences and update internal guidelines to reflect changes in licence terms.
• Assess commercial viability: Consider whether commercial objectives can be achieved within the constraints of the applicable OSS licence.
• Maintain an OSS inventory: Keep an up-to-date record of all OSS components in use, including applicable licences and version history.
• Educate stakeholders: Provide training to developers, procurement, legal, and commercial teams on OSS licence compliance and the importance of following proper usage protocols.

Therefore, OSS offers potential benefits, including cost efficiencies and accelerated development, but it also introduces complex legal and contractual risks. By proactively addressing licence compliance, intellectual property risks, security considerations and regulatory requirements, organisations can leverage OSS while minimising risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.