Vendor Offers Open-Source Code Insurance

Software license compliance analysis vendor Open Source Risk Management Inc. (OSRM) is adding insurance coverage to its offerings to help businesses ensure the open-source license integrity of software companies they acquire or applications they are using internally.

In an announcement Monday, New York-based OSRM said it will offer insurance policies of up to US$10 million to help protect businesses from legal risk involving open-source code in certain situations. OSRM has partnered with London-based insurance underwriting company Kiln PLC and Lloyd’s of London insurance broker Miller Insurance Services Ltd. to offer the insurance program.

Daniel Egger, CEO of OSRM, said the three companies are aiming their new insurance offering at specific needs, including software development companies that want to be sure the open-source components that they incorporate into proprietary applications are being used properly within their open-source licenses. “It comes up in special circumstances,” Egger said, including when software companies acquire other vendors and want to ensure that the product lines they are buying comply with licenses for included open-source code.

The insurance costs about $20,000 for $1 million in coverage, or about 2% of the desired coverage amount.

The issue for many software companies, Egger said, is that they sometimes use open-source software in proprietary applications without regard to whether the use could conflict with open-source software licenses. “There are plenty of ways to link into open-source software that won’t trigger any alarms” involving licenses, he said.

According to OSRM, one common scenario involves proprietary software, such as trading tools or inventory management applications that use one or more open-source components. By making the tools available on a company extranet or sending them to external partners or suppliers, a company could be seen as distributing the code — a violation of the open-source General Public License unless the company also makes the modified code freely available to competitors, according to OSRM.

The OSRM/Kiln partnership differs from software compliance vendors such as Waltham, Mass.-based Black Duck Software Inc. and San Francisco-based Palamida Inc. because those companies analyze a company’s code and tell them what they must do to ensure license compliance, but they don’t provide actual insurance, Egger said.

Matthew Hogg, an underwriter for Kiln, said the insurance policies are similar to having a building inspection performed before buying a new home.

“Potentially, it’s a large market,” Hogg said. “It will appear to some people as a niche market for the next six months or a year, but after that, it will gain considerably. It’s very relevant to technology companies that are distributing or selling software products.”

Analysts have differing views on the insurance coverage idea. Stephen Graham, an analyst at market research company IDC in Framingham, Mass., said adding insurance coverage to a risk analysis services makes sense, but added that it’s more likely to be used as another tool rather than as a revolutionary shift. “Is it really going to take the industry by storm?” he said. “Probably not, but it’s another step along the path.”

Michael Goulde, an analyst at Forrester Research Inc. in Cambridge, Mass., said he was “a little disappointed” with the initial insurance offering from OSRM because it’s focused more directly at commercial software companies rather than at everyday corporate users of open-source software. “It’s not that what they’re doing isn’t valuable,” he said. “But it’s a fairly narrow policy. It’s a start. You’ve got to start somewhere. If Kiln makes money, someone else will step in to do this.”

By Todd R. Weiss – Computerworld (US online)