IP Risk and Open Source Software: Investor Considerations
Investing in business where custom software development is material to the success of the organisation brings a particular set of risks. Getting clear advice at the right stage that helps quantify and strategise these risks can materially perserve the value on an investment.
Open source software has enabled an acceleration of software development but can come with significant risks, especially if the investment target is not aware of the specific nuances.
At CTO Labs we have often seen deals get mired down as the legal risks of leveraging open source software have to be determined.
Here are some considerations we would recommend when looking at investing in companies that are dependent on custom software development:
Copyleft licenses
The most common open source issue we encounter relates to open source that is classified as “copyleft” being incorporated into a product or solution. The term copyleft is the concept that not only should the source code to the software be open and distributed freely, but that any derivatives of that software should also make the source code available as well.
The impact is that under certain conditions, software that has incorporated other copyleft software would have to release their source code to the public. This could mean that an organisation that felt that they had protected intellectual property would have to make it freely available to anyone who asked for it, potentially handing IP to a competitor.
When copyleft software is incorporated in an asset, taking legal advice should be sought and if appropriate having an assessment made of how easy it is - technically - to mitigate copyleft risk.
Open Source Governance Maturity
Investment targets will vary greatly in maturity around understanding open source intellectual property risk and how to manage it. Questions CTO Labs often assesses when doing due diligence on a target are:
- Does the target have an open source usage policy?
The first step is normally to have a current and stated internal policy around the acceptable use of open source software, which identifies what open source licenses are acceptable to use and under what conditions. This policy should be reviewed by legal advisors experienced in this space regularly.
- How does the target enforce the usage policy?
What process is there to enforce and validate that the policy is being followed. Just having a policy is insufficient without some sort of enforcement.
- Does the target record what open source software they use and how it is licensed?
One of the common problems we encounter during a due diligence is that many open source software solutions have multiple licenses, where when the software is used, a particular license needs to be accepted. Without documentation, it is legally ambiguous what license is being used and leaves it open for interpretation. This creates legal ambiguity and risk.
- Is there automated tooling as part of the path of production?
Mature organisations have open source software license detection built into the tools used to get software into production, which ensure that the policy is enforced and highlights any risks, challenges or ambiguity early to be reviewed and discussed as appropriate.
- Are all software assets covered?
In several due diligences, even with mature organisations, it has been evident that software assets were not managed through the organisational open source usage policy. Because barriers to software development are low these days, it is quite easy, even for non-technical areas of an organisation, to create software IP which incorporates open source software.
AI Assisted Development
While AI assisted development has been a recent and innovative way to increase productivity in software development, in many cases the legal risks are not yet known. It can easily make the copyright ownership and license obligations of software unclear, adding unbound IP risk.
While some of the providers of AI assisted development are providing indemnity as part of their solution, there has been very little validation that it would be sufficient.
Any target that is using generative AI to assist in writing code or other aspects of software development should have a thorough legal review to better understand potential risks around the investment.
Unlicensed Software Risks
One of the big myths CTO Labs has encountered when reviewing a target’s IP risks is that publicly available software without an explicit license can be used in any fashion desired. While not legal advisors, we know that is not the case. Software that incorporates other unlicensed software needs legal review and likely a specific mitigation strategy, because it creates legal uncertainty and risk.
Complexity and Uncertainty
Open source software usage as well as AI assisted development are complex areas both technically and legally. Without thoroughly understanding the situation an investor could easily get caught out valuing an asset at one level only to find out later that legal risks or ambiguity ends up draining the value or erasing the competitive advantage of an investment.
Getting the right advice at the right stage to quantify risks and help strategise on how to mitigate them is highly important to preserving asset value. We at CTO Labs can be part of the solution of making this complex landscape understandable.
