The Open Secret: Open Source Software

If open source software did not exist, firms would need to spend 3.5 times more on software, according to a 2024 Harvard Business School paper . In fact, Synopsys' 2024 Open Source Security and Risk Analysis (OSSRA) report states that 96% of codebases contain open source software. So, what is open source software? What are the advantages and risks associated with it? And what are the practical considerations for businesses using open source software? This briefing looks at each of these three questions.

Now Reading

What is open source software?

Open source software ("OSS") is third-party code made available under a licence, where the licensee is given access to the source code and the freedom to copy, modify and distribute the software for any purpose. In order to be open source software, the distribution terms of the OSS must meet the Open Source Definition. Software subject to distribution terms which conform to some, but not all, of the criteria in the Open Source Definition is not open source software - if, for example, commercial exploitation is prohibited, this is inconsistent with the Open Source Definition.

This is not to say, however, that OSS can be used without restriction. In fact, often the converse is true, as noted in section 3.

Opening opportunities – the advantages of OSS

Some of the key benefits of OSS, which have contributed to its increasing prevalence, include the following factors:

Efficiency and boosting innovation

By using pre-prepared software, developers can avoid having to "reinvent the wheel". Not only does this allow for a faster time to market, but developers can also focus their time and resources on developing the innovative aspects of their software.

Cost-effectiveness

OSS is typically free of any upfront charge. The open source community also often provides free support and resources. This can be particularly beneficial to start-ups and small businesses that have limited funds.

Look at total cost of ownership

Sometimes additional software is required to execute the code that is contained within the OSS (executable software). From Red Hat Enterprise Linux to SUSE Linux Enterprise Server, executable software often requires a subscription fee.
Even where there are no upfront fees for the use or execution of OSS, costs and resources can (and should) be incurred to monitor compliance with licence requirements (as set out in section 3), and in respect of governance solutions, including record keeping, policies and procedures and oversight (as set out in section 4).

Quality: the "many eyes" theory

The open source community is highly active: in 2022 alone, a total of 413 million open source contributions were made to GitHub. By collaborating to scrutinise, test and develop OSS, this can lead to higher quality code. This is not only beneficial in terms of functionality, but also in respect of security. In fact, Linus Torvalds, creator of Linux kernel, referred to this as the "many eyes" theory – whereby, the openness of OSS provides more opportunities for code to be reviewed, e.g., such that its security is improved.

Favourable regulatory treatment?

Open source AI models and systems receive favourable regulatory treatment under the EU AI Act (provided they are not banned systems, high-risk or general-purpose AI models presenting systemic risk), lessening the compliance burden.

Not a free lunch - the risks associated with OSS

Without detracting from the numerous benefits of OSS, there are risks associated with OSS that businesses should not overlook:

Licence compliance and copyright infringement risk

Licensees of OSS must ensure that they comply with the applicable licence requirements. There are two main types of OSS:

permissive; and
restrictive (also known as "viral", "copyleft" or "reciprocal").

Permissive OSS licences typically grant the licensee the freedom to use, modify and redistribute the OSS and any derivative work. Often, the only requirement is that copyright notices are displayed which credit the developer of the OSS. Examples of permissive OSS licences include Apache, BSD and MIT.

Copyleft OSS licences, on the other hand, require that, where the OSS is combined with other software or further developments are made to the OSS, the entire work (including the business' own proprietary works) must be made available to others under the same open source licence as the copyleft OSS. Examples of copyleft OSS include GPL and Mozilla Public Licence 2.0. Copyleft OSS can therefore have an "infectious" or "viral" effect: the licensee can be forced to make its own derivative proprietary works freely available to the public. This can be particularly problematic where a business' proprietary works are core to the business, such as a software business. The business' value can be severely undermined if it transpires (often uncovered in an M&A context) that copyleft OSS requires that the business' proprietary works are made publicly and freely available.

Another common problem is where multiple open source packages are used for a project, or an OSS package is dependent on other OSS to operate, where the packages are covered by open source licences the terms of which are incompatible with each other, leading to licence conflicts.

53%

of all code bases contained OSS licence conflicts

OSS licence compliance requirements are typically only triggered where software is distributed, as opposed to software that is used internally within a business. That said, while generally software as a service ("SaaS") is not considered distributable, some OSS licence restrictions are triggered without requiring distribution (for example, triggered by indirect access or network usage), which could, therefore, include SaaS.

At worst, these issues can prevent a business from selling its product as it intended, require substantial remediation costs to fix the problem, and/or create an exposure to copyright infringement claims.

The recent case before the French courts of Entr'Ouvert v. Orange highlights the importance of ensuring that OSS licence requirements are complied with. In that case, the Court of Appeal of Paris held that telecoms provider, Orange, had violated certain GPL licence requirements, including the obligation to include notices and to make available its source code. Orange was ordered to pay over €900,000 to software company, Entr'Ouvert.

Security issues

Whilst the open source community and publicly accessible nature of OSS provides many benefits, it can introduce certain vulnerabilities.

Firstly, contributors to OSS may not be security experts, resulting in potential security vulnerabilities within the code.

Secondly, cyber criminals can quickly and easily review OSS to detect and exploit vulnerabilities in the code. For example, the Equifax data breach in 2017 was due to a known vulnerability in an OSS component on Equifax's webserver which it had failed to patch.

74%

of all code bases contained high-risk (i.e. actively exploited) vulnerabilities in 2023

Lack of Contractual Protection

Typically, OSS does not offer the protections that are often included in a proprietary licence, such as warranties and indemnities. OSS is usually supplied "as is".

Avoiding Unfair Perceptions

As we discuss in our Tech.Spotlight video series, the risks associated with OSS can sometimes lead to an unfair perception of OSS, when, in fact, these risks can be mitigated. In the section below, we consider the practical steps that can be taken to manage the risks associated with OSS.

Approaching OSS with open eyes - practical considerations

What are the practical considerations for businesses looking to embrace the benefits of OSS whilst also remaining conscious of the risks?

OSS audit

Firstly, you will need to conduct an OSS audit to establish and record: (i) what OSS is used; (ii) where it is used; (iii) why it is used; and (iv) if there are any risks relating to the OSS (for example, in relation to copyleft OSS).

In the context of M&A deals, particularly where software is a key component of the target business, you will need to undertake due diligence and include warranties in relation to OSS.

Automated scans of software should significantly improve the process of identifying and tracking OSS components.

Policies and Procedures

Whether OSS is included as part of a software product or within internal systems, policies and procedures can assist in mitigating the risks outlined above. This includes ensuring that businesses:

effectively track the use of OSS;
establish and maintain policies and procedures outlining approved licences for OSS (which may include banning or requiring prior permission for the use of copyleft OSS, for example), review processes, and documentation requirements in relation to OSS; and
keep security patches and software updates up to date.

Staff training

Your developers and legal and compliance teams should be trained so that they understand the implications of using OSS and the importance of compliance with OSS licences.

Get In Touch

The Technology & Commercial Transactions team at Travers Smith has considerable expertise and experience in advising businesses on the risks and practical steps that can be taken in relation to the use of OSS, including in the context of software development and M&A deals. Please feel free to get in touch.

Read Louisa Chambers Profile