By Philippe Thomas, CEO at Vaultinum
The UK is on track to make 2021 the biggest year ever for tech investment, with the UK tech sector raising a record-breaking £13.5 billion in the first half of the year, almost three times more than for the same period in 2020. As the industry grows and more money is invested, investors need to ensure that they are protected against any possible threats. Risk-prevention is particularly important when considering investments in the tech space, when the primary asset of any deal is generally software.
Due diligence efforts in the pre-investment stage are often very detailed in terms of finance and legal but lacking in tech. Software vulnerabilities thus tend to go unnoticed, and a thorough analysis of the use of open source software is generally absent. What risks can this pose, and how can they be mitigated?
Understanding open source software
Open source software can be defined as software that developers can inspect, copy, modify, and redistribute. It is based on shared principles of enriching knowledge through community collaboration; the hive mind is always going to be able to produce bigger and better things than a lone developer writing code from scratch. At present the open source community is thriving, with 35% more code repositories created on GitHub in 2020 than in the previous year. Using open source is fast becoming a strategic necessity in our highly digital world, as in a competitive environment being able to develop faster is essential. Developing and bringing to market new features quicker than a competitor improves an organisation’s chance at more market share, with reports even going as far to say that building an open source culture drives innovation. Unsurprisingly then, working with open source software is becoming a requirement for almost all software.
The benefits of integrating open source software within commercial code repositories are wide-reaching, meaning that open source usage can and should be seen as an asset by investors. Open source allows organisations to tap into a large, technically diverse community of software developers, meaning that open source software can face a lower risk of obsolescence. This wide community also allows organisations to circumvent the difficulties of talent acquisition, cutting costs at the same time. However, in order to reap these benefits, investors must ensure that the organisations they are investing in are correctly managing their open source usage, which is not always the case.
Diving deeper into open source licencing
Open source licencing restrictions can be quite different to those of software developed in-house. Almost all open source licences comply with the ‘essential freedoms’ of the open source movement: the freedoms to use, run, study, modify, and redistribute open source software for any purpose. These freedoms are essential principles that bring about some of the beauties of open source software, as they allow the community to constantly develop and re-develop to find better solutions. However, the way in which these principles apply to software derived from open source depends on the licencing restrictions which have been applied, generally either permissive or copyleft licences.
Permissive licences, such as Apache Licence v.2.0, the BSD licence, and the MIT licence, grant all of the aforementioned ‘essential freedoms’, but do not require that these freedoms are maintained in derivative works. As a result, open source software bound by a permissive licence can be modified into a larger codebase and distributed under the same or different licencing terms as you see fit. Due to the relative liberty of using permissive licences, there are few downsides to using it as part of derivative software. On the other hand, copyleft, or so-called ‘non-permissive’ licences require that any redistribution of a software must be done under the same or compatible terms as the original open source licence. The possible terms of copyleft licences are vast and can include being required to make the entire in-house-developed source code public or needing to pay a licence fee for the usage of open source code within a commercial software. The most commonly used copyleft licence, referred to as strong copyleft, is the GNU General Public Licence (GPL), which applies not just to any modifications made to open source code licenced under the GPL, but also to any derivative work based on GPL code. As such, an entire code base would be bound by the GPL terms, even if it only uses a couple of lines of GPL code.
Protecting your investments against intellectual property risks
When using code bound by restrictive licences, such as the GNU GPL, organisations face a threat to their intellectual property. Licences that allow proprietary code to be defined as derivative work mean that organisations can lose their IP right to a whole in-house developed software. For example, when Hancom Office, a productivity app suite, incorporated Ghostscript, an open source PDF interpreter into its word-processing software in 2013, it should have adhered to its open source licence, the GNU GPL. This would have meant that Hancom had to make its entire suite of apps open source with the same GNU GPL licence, thus losing its entire product’s IP rights. Alternatively, in this particular case Hancom could have paid a licencing fee to Artifex, the developer of Ghostscript, as they waive the GNU GPU if commercial developers are willing to pay, which is not always the case. Hancom did neither, leading to a lawsuit being filed by Artifex in 2017, and the US District Court ruling in Artifex’s favour. While the exact terms of the settlement remain confidential, it is safe to say that Hancom will have suffered drastic financial, reputational, and IP losses.
Of course, the risk level of using open source software is dependent on how contaminating the open source licence is, and the severity of its terms. Integrating open source software that is bound by a permissive licence will not have the same fallout as integrating software bound by a copyleft licence, which forces organisations to pay or make public their codebases, a devastating IP loss. Artifex v Hancom has set a daunting precedent for any organisation integrating open source software bound by a copyleft licence into their wider code bases, and organisations need to implement a strong open source strategy to avoid any such legal battles.
Investors should check for open source licencing restrictions and all other potential maintainability and cyber-exploitation risks associated with a piece of software by implementing comprehensive software due diligence before investing. The most comprehensive auditing uses an algorithm combined with expert review to scan every line of code, so that any open source software is identified and assessed accordingly. Auditing also reviews a business’ internal operational processes, including their open source management strategy, to reduce and even avoid such risks in the future.
Philippe Thomas is the CEO of Vaultinum, a trusted independent third-party specialized in the protection and audit of digital assets. He has 20+ years of experience in the fintech industry, having started his career in open outcry market surveillance, extending into business development and becoming a COO, before starting his journey with Vaultinum in 2019. Vaultinum provide software escrow contracts, copyright deposit solutions, and software due diligence tools to top tier firms, private equities, and VCs worldwide.