September 22, 2020

Open Source Indemnification: Why You Should Care

Some software copyright claims filed in the past have gained much attention (such as Oracle’s lawsuit against Google for copyright/patent infringement related to Java, which was later settled in Google’s favour). With time, reliance on open source is only increasing in magnitude. The 2021 OSSRA report affirms the fact that open source software provides the foundation for the majority of applications across all industries. Companies now realize more than ever that open source indemnification protection against costly lawsuits is important.

With many of ActiveState’s customers, the discussion around levels of indemnification in an Enterprise or OEM contract often gets passed to compliance officers or lawyers. But even legal counsel in companies aren’t always well-versed in the differences between indemnification for proprietary products and those based on open source.

Indemnification: Proprietary vs. Open Source

With proprietary software, a vendor can very simply provide indemnification as part of a standard agreement, because they have full control and copyright over the product and underlying code.

With open source products, there are multiple contributors to the code, making it all that much more important for companies to protect themselves. However, when a product is based on open source (like ActivePerl, ActivePython, or ActiveTcl), the vendor can’t provide indemnification “out-of-the-box” the way the proprietary vendor can because a lot of added checks need to happen to protect both the vendor and the vendor’s customers. For example, there are many contributors to open source Perl, which ActivePerl is based on (with additional code and compiling then added, to give ActivePerl its own license). Perl has thousands of third-party modules, with each module having its own creator/contributors and its own licenses that may restrict or have strict requirements around its use. Companies that opt for ActiveState’s Indemnification offering avoid the hassle of reviewing licenses for all modules, and instead, work with one single license, and one go-to company for indemnification coverage.

These benefits around indemnification for products based on open source are a welcome value-add for customers who want this kind of security. But due to the loss of control for vendors with open source business models, this protection comes with an extra price tag, which makes it different from proprietary software vendors.

What does a company get with ActiveState’s indemnification?

To remove risks for customers, highlights of ActiveState’s indemnification coverage for ActivePerl, ActivePython, and ActiveTcl include:

  • Protection against potential IP/copyright/patent infringement lawsuits from community contributors to open source code
  • Geographic protection: typically, we offer indemnification for United States, Canada, and worldwide, but subject to countries that are governed by WIPO (World Intellectual Property Organization)  treaties
  • Indemnification cap:  we protect customers for amounts based on the value of their yearly contract.

Levels of Indemnification

Companies often have policies on indemnification, whether for proprietary or open source products. Software and hardware companies usually have a policy around what levels of indemnification they pass on to their customers (usually driven by who they sell to and what those customers demand). When we discuss indemnification requirements with our customers, they tend to fall into two groups:

  • Some large companies will only buy open source products that include some level of indemnification and are satisfied with the standard level that ActiveState provides.
  • Other large companies are more mature in their open source policies: they may be more risk averse, or else perceive themselves to be open to more risk than other companies, or maybe they face demands from their own customers that demand high levels of indemnification including coverage for third-party products. These types of companies go a step further and require strict language in the indemnification clauses of their contracts, and really care about the level of coverage they get in the event of a lawsuit.

Whichever group your company falls into, ActiveState’s Indemnification offering is flexible. We’ve worked with numerous companies to work out contracts that minimize risk and satisfy both parties’ needs.

Related Reads:

Data Sheet: Protect Your Business Against Lawsuits With License Indemnification

Data Sheet: Securing Your Open Source Supply Chain

Bart Copeland

Bart Copeland

Bart Copeland is our CEO and president. He's passionate about ensuring that everyone at ActiveState has a lot of fun while solving complex problems with applications that provide real benefit to our customers. He holds an MBA in Technology Management from the University of Phoenix and a Mechanical Engineering degree from the University of British Columbia.