Taking the risk out of open source

Insurance is a good policy when dealing with open source, Neil McAllister says

Picture this scenario: Suppose Company A acquires Company B, a hardware vendor that incorporates the Linux kernel into its products. After the acquisition is complete, however, an unfortunate thing happens. Linux developers bring a lawsuit against Company B, alleging violations of the GNU GPL (General Public Licence). As part of the settlement, Company A agrees to open source all of Company B’s code, even the previously proprietary parts.

With the stroke of a pen, Company A has lost some of the business value of its purchase of Company B. Wouldn’t it be neat if Company A could have bought insurance to protect itself against that unforeseen loss?

Almost two years ago, Daniel Egger, chief executive of open source licence compliance consultancy Open Source Risk Management (OSRM), began going door to door to large companies asking this very question. He garnered a lot of interest but there was one piece missing. At that time no such insurance existed.

Today it does. During the past 18 months, Egger has partnered with Kiln, a Lloyd’s of London insurance underwriter, and Miller Insurance Services, a Lloyd’s broker, to develop a unique insurance product designed specifically for commercial IT vendors that incorporate open source into their products.

You may know the Lloyd’s name from some of the more gossip-worthy assets it has insured in the past: Betty Grable’s legs, for example, or Keith Richards’s fingers. But such policies are more than mere publicity stunts. The unique Lloyd’s business model — Lloyd’s is a kind of marketplace, rather than a single company — allows it to take on such unusual risks. Risks, for example, such as open source software.

“Nobody’s ever done anything even close to it before, but it fits naturally into a suite of business that I look at,” says Kiln underwriter Matthew Hogg. “In the modern knowledge economy, why are companies still buying their property insurance, or whatever, when their risks are actually held in intangible assets?”

The policy OSRM and Kiln have developed takes advantage of the fact that cases like these go to court. “It doesn’t pay your legal bills, so there’s no incentive to feed the litigation monster,” says OSRM’s Egger.

Instead, the policy covers the terms of the inevitable settlement. It will either reimburse a company for loss of business value associated with open sourcing proprietary code, as mentioned earlier, or else it will underwrite the cost of re-engineering a product to bring it into full compliance. The policy covers liability of as much as US$10 million (NZ$14.6 million), at a cost of around $US20,000 per US$1 million of coverage per year.

Critics say the insurance will only encourage companies to infringe on open source licences more often. But that’s not how it works. Just as an appraiser must judge that a new factory building is sound before it can be insured, OSRM acts as Kiln’s appraiser in evaluating potential clients’ software environments and practices for good open source citizenship.

“We do a good job for Kiln if we advise the clients on how to be so compliant that they never have any claims,” Egger says.

“Our approach is to look at what they’re doing and, if it’s not already completely safe make recommendations of what they could do.”

By eliminating the last element of doubt companies have about using open source, Hogg says Kiln’s insurance makes open source code more freely accessible.

After all, isn’t that what open source is all about?

McAllister is an associate editor at InfoWorld. Contact him at neil_mcallister@infoworld.com

Join the newsletter!

Error: Please check your email address.

Tags managementopen sourcerisk

More about Linux

Show Comments

Market Place

[]