Open-source software (OSS) is widely used throughout the software industry and can generally be incorporated into commercial products or used internally as development tools. OSS is made available under licenses permitting users to access, use, modify, and distribute publicly available source code subject to specific license terms. Some OSS license rights are more permissive than others.
The use of OSS can facilitate software development by allowing companies to leverage existing technologies rather than developing all functionality internally. Similarly, it can allow a broader group to maintain and debug such software code rather than manage such internally, where resources may be constrained.
Although OSS is generally available for use under open-source licenses, those licenses often contain conditions relating to attribution, redistribution, modification, source code availability, or other compliance obligations. The nature of these obligations varies depending on the applicable license and how the software is used. Some licenses, such as what is considered “copyleft” licenses, could have significant implications if combined with proprietary company code. As a result, OSS is a common focus of technology due diligence in mergers and acquisitions. The following are examples of OSS-related topics that frequently arise during due diligence.
Does the Company Maintain an Open-Source Software Policy?
Buyers frequently assess whether a company maintains a written OSS policy governing the use of OSS. An OSS policy may establish procedures for identifying OSS components, allocating responsibility for compliance, addressing license obligations, and managing software development practices involving OSS, including the appropriate approval process. The existence of an open-source software policy with the appropriate guardrails is generally a good sign that the company maintains appropriate OSS governance practices. On the other hand, the absence of an OSS policy could be a red flag that signals there may be an issue or, at the very least, requires further investigation and discussion with the company.
Does the Company Provide Employee Training on Appropriate OSS usage?
An OSS policy is only one aspect of an effective OSS compliance program. Diligence may also focus on whether employees, particularly software developers and engineering personnel, receive training regarding OSS usage and applicable license obligations. Training programs may address topics such as identifying different categories of OSS licenses, understanding attribution and distribution requirements, recognizing restrictions associated with certain licenses, and complying with internal approval procedures.
Does the Company Contribute to Open-Source Projects?
Another area of inquiry is whether the company contributes code or other materials to open-source projects. Where employees contribute to OSS projects, diligence may focus on the company's policies and procedures governing such contributions, including review and approval requirements, ownership of contributed code, and measures intended to prevent the disclosure of proprietary or confidential information.
Does the Company Monitor and Track Open-Source Software Usage?
Diligence frequently includes an assessment of how the company identifies and tracks OSS used within its environments. Companies may maintain inventories of OSS components to assist with identifying applicable licenses, assessing compliance obligations, and understanding software dependencies. This is of utmost importance because of the license restrictions and permissions involved with the large volume of OSS licenses. The absence of an inventory may make it more difficult to assess OSS usage and related compliance obligations.
Does the Company Conduct Regular OSS Scans?
Similar to maintaining an inventory, having an accurate compilation of OSS used is not only helpful to the company but also helpful to a buyer. One aspect of due diligence typically conducted requires a scan of the company’s software. This often discovers inconsistencies and issues that need to be remedied prior to the closing of a transaction. One way to mitigate this is to maintain a repository that is regularly updated based on the company’s OSS usage.
Does the Company Maintain an Approval Process for the Use of Copyleft-Licensed Software?
Diligence will include a review of the company's practices relating to the use of software licensed under copyleft licenses, such as the GNU General Public License (GPL), Affero General Public License (AGPL), Lesser GPL (LGPL), and similar licenses.
Companies generally will want to maintain approval processes requiring legal, compliance, or technical review before certain categories of OSS are incorporated into its products or services. This is to protect against any proprietary code being packaged with copyleft code and shipped out to customers. Depending on use cases, this could lead to “tainting” the company’s proprietary code by requiring that such code be made publicly available, which would diminish the commercial value almost immediately.
How We Can Help
OSS is used by the technology sector in high volumes and involves a large number of licenses with varying compliance obligations. As a result, buyers and sellers alike need to appraise themselves of the risks and benefits associated with using OSS and what to look for in a transaction.
Our team stands ready to advise buyers, sellers, investors, and technology companies on OSS issues that arise in M&A transactions and other strategic transactions. We assist clients with OSS-focused due diligence, license compliance reviews, OSS policy development, software governance programs, and remediation efforts identified during diligence and throughout the transaction cycle.