Best Practices for SaaS Companies Using Open Source Software
- Dan Fredrickson
- |
- October 30, 2024
Open source software is an essential part of most companies’ software development programs. For SaaS companies, open source software offers a way to leverage existing code libraries and components to speed up development and reduce costs. However, using open source software also comes with responsibilities and risks, particularly when it comes to compliance with open source licenses. Understanding and managing these risks before including open source software in your code base is crucial for scaling and avoiding legal issues down the road, especially when contracting with enterprise customers and during M&A or financing events.
Why open source matters
First and foremost, SaaS companies should not be afraid of using open source software. It rarely makes sense to reinvent the wheel by building everything from scratch when there are readily available open source components that can help achieve the same functionality. Open source allows developers to be more efficient and focus on building unique features, rather than spending time recreating basic functionality.
That said, it’s essential to understand the licenses that govern the use of these open source components. Open source software is typically available under a variety of licenses (e.g., Apache, MIT, GPL), each with their own terms. For instance, many licenses allow the software to be used for any purpose, as long as certain conditions—such as attribution to the original creator—are met. Compliance with these conditions is usually straightforward, but it’s crucial to ensure you follow them properly.
Copyleft and other licensing risks
One of the biggest concerns with open source software is the concept of copyleft. This class of licenses, including the GNU General Public License (GPL), aims to ensure that software licensed under the GPL and its modifications remain part of the open source community. If you modify and distribute copyleft-licensed software, you are required to make the modified code available under the same license. For many companies, the primary risk to using copyleft software is that incorporating copyleft software into their product might force them to release their entire codebase (including proprietary code) as open source—potentially losing the keys to the castle.
It is important to note, however, that there are different triggers for copyleft restrictions and requirements depending on the open source software license at issue. Commonly used open source licenses such as GPL have copyleft obligations that are triggered upon “distribution” of modified open source software. Others, such as GNU Affero General Public License (AGPL), attempt to cover SaaS scenarios by requiring that modified code be made available even when the software is accessed remotely over a network.
When does open source software compliance typically come up?
When contracting with enterprise customers, you may encounter provisions that require you to represent and warrant that no open source software is used in your product. This is an extraordinarily difficult standard for any company to comply with and, in most cases, unrealistic. Instead, aim to revise such provisions to state that you do not use open source software in a way that imposes obligations on the customer or that you have vetted the software for compliance with its licenses.
Open source compliance becomes particularly important during M&A or financing events. Investors and acquirers will want assurances that the company is in compliance with all IP licenses, including open source licenses. Failure to comply can create friction in deals and reduce the value of your software assets.
Best practices for managing open source software compliance
Using open source software isn’t the problem—it’s how you use it that matters. Here are some best practices:
- Start early: It’s much easier to track and manage open source software compliance from the beginning of a project than to clean up issues after the fact. Keep an inventory of all open source components used, how they are used, and whether they have been modified.
- Policies and Training: Companies should adopt and implement a written policy for reviewing, approving, tracking, and managing open source components to ensure compliance with licensing terms and avoid unintended outcomes. Companies should ensure that developers are familiar with the policy and its requirements.
- Avoid modifications where possible: If you can, avoid modifying open source packages. Modifying open source code can create additional licensing obligations, particularly under copyleft licenses. If you do need to make modifications, carefully review the license terms to understand the implications.
- Understand how you connect to the base code: In some cases, how you link open source software to your proprietary code can affect whether copyleft obligations apply. Static linking (where the open source software is directly incorporated into your code) can trigger copyleft requirements, whereas dynamic linking (where your software and the open source code remain separate but communicate) may not.
- Monitor regularly: Continuously track the open source software used in your SaaS product, especially as new features and updates are rolled out. Use tools to monitor for new vulnerabilities or changes in licensing terms. Ensuring your software is always up-to-date with the latest patches helps prevent security risks and compliance issues.
- Leverage third-party tools: There are valuable third-party tools available that can scan code and detect open source software and associated licenses. Companies should consider utilizing these tools in advance of M&A or financing events if they are not confident that they’ve adequately tracked the open source software they use.
SaaS companies should embrace the benefits of open source software but must do so with a clear understanding of the risks and obligations involved. The key is not to avoid using open source but to be mindful of how you use it. By implementing a robust compliance program and proactively managing open source components, SaaS companies can access the advantages of open source while minimizing legal and operational risks. In short, open source is a powerful tool—just be sure to handle it responsibly.
Dan Fredrickson is a commercial partner at KO Law who assists companies in connection with complex commercial and technology transactions. His clients range from early stage startups and emerging companies to private and public multinational corporations across many industries, including software, energy, life sciences, hardware, Internet and eCommerce, consumer products, and professional services. Reach Dan at [email protected].