Open Source Indemnification: Why You Should Care

With the recent rise in software copyright claims filed (such as Oracle’s lawsuit against Google for copyright/patent infringement related to Java), companies are realizing more than ever that indemnification protection against costly lawsuits is important. Oracle is just one example among many - see more IP infringement cases put together by Protecode here.

With many of ActiveState’s customers, the discussion around levels of indemnification in an Enterprise or OEM contract often gets passed to compliance officers or lawyers. But even legal counsel in companies aren’t always well-versed in the differences between indemnification for proprietary products and those based on open source.

Indemnification: Proprietary vs. Open Source

With proprietary software, a vendor can very simply provide indemnification as part of a standard agreement, because they have full control and copyright over the product and underlying code.

With open source products, there are multiple contributors to the code, making it all that much more important for companies to protect themselves. However, when a product is based on open source (like ActivePerl, ActivePython, or ActiveTcl), the vendor can’t provide indemnification “out-of-the-box” the way the proprietary vendor can because a lot of added checks need to happen to protect both the vendor and the vendor’s customers. For example, there are many contributors to open source Perl, which ActivePerl is based on (with additional code and compiling then added, to give ActivePerl its own license). Perl has thousands of third-party modules, with each module having its own creator/contributors and its own licenses that may

restrict or have strict requirements around its use. So companies purchasing Enterprise or OEM contracts from ActiveState avoid the hassle of reviewing licenses for all modules, and instead, work with one single license, and one go-to company for indemnification coverage.

These added checks and complexities around indemnification for products based on open source are a welcome value-add for customers who want this security. But due to the loss of control for vendors with open source business models, this protection comes with an extra price tag, which makes it different then proprietary software vendors.

What does a company get with ActiveState’s indemnification?

To remove risks for customers, highlights of ActiveState’s indemnification coverage for ActivePerl, ActivePython, and ActiveTcl include:

Protection against potential IP/copyright/patent infringement lawsuits from community contributors to open source code

Geographic protection: typically, we offer indemnification for United States, Canada, and worldwide, but subject to countries that are governed by WIPO (World Intellectual Property Organization) treaties

Indemnification cap: we protect customers for amounts ranging from 2x the value of a contract in any given year to claims up to $5 million.

Further details are covered in details of our Enterprise and OEM agreements.

Levels of Indemnification

Companies often have policies on indemnification, whether for proprietary or open source products. Software and hardware companies usually have a policy around what levels of indemnification they pass to their customers (driven usually by who they sell to and what those customers demand). So when we discuss indemnification requirements with our customers, they tend to fall into two groups:

Some large companies will only buy open source products that include some level of indemnification and are satisfied with the standard level that ActiveState provides.

Other large companies are more mature in their open source policies: they are more risk averse, perceive themselves to be open to more risk than other companies, or face demands from their own customers that demand high levels of indemnification including coverage for third-party products. These types of companies go a step further and require strict language in the indemnification clauses of their contracts, and really care about the level of coverage they get in the event of a lawsuit.

Whichever group your company falls into, we are flexible and have worked with numerous companies to work out contracts that minimize risk and satisfy both parties needs. Contact us to ensure you’re protected when using ActivePerl, ActivePython, or ActiveTcl in your company.