Open-Source Insurance Is Arriving
Theres nothing new about IP insurance, but New York-based Open Source Risk Management LLC (OSRM) is the first company to specifically target helping companies deal with open-source IP risks.
Daniel Egger, founder and president, announced at San Franciscos Open Source Business Conference this week that the company will launch its consulting service immediately to be followed in about a month by an insurance-like IP indemnification plan for all mainstream Linux distributions.
Specifically, OSRM will use code-scanning and copyright infringement detection technologies, such as that offered by Black Duck Software Inc., to assess a clients code base to identify any code that might lead to plausible legal claims. OSRM also offers risk-mitigation consulting services, based on its set of best practices protocols. In addition, OSRM will offer indemnification packages, a form of insurance-like protection against open-source-related litigation.
OSRM will do this by checking open-source programs with its proprietary VSearch risk-assessment program. This risk assessment is based on best practice protocols developed with the OSRM Working Group of CIOs and legal counsel from Fortune 500 enterprise Linux users.
OSRM is already checking out the Linux kernel with this technology. The company will also keep a certified repository of approved open-source software. The company will then indemnify other businesses using those programs for legal costs resulting from copyright and patent claims.
Egger pointed out that existing indemnification plans by Hewlett-Packard Co., Novell Inc. and Red Hat Inc. fall short because they apply only to a few, specific Linux distributions and dont apply at all if the customer modifies the Linux source code.
In an eWEEK.com interview, Pamela Jones, Director of Litigation Research for OSRM and editor and publisher of the popular SCO legal news and analysis site Groklaw, said, "I believe in what OSRM is doing. The ability to modify the code freely is [at] the heart of Linux. But no single vendor can afford to indemnify you if you modify code. The most important point of OSRMs offering is that it checkmates [earlier versions of] indemnification and keeps GNU Linux free, as in free speech."
Bruce Perens, an open-source leader, said, "Rather than asking vendors to do what they will never feel comfortable doingin effect, asking them to indemnify their competitors products and servicesit is in the long-term interest of all Linux vendors to support a collective, vendor-neutral defense of open source. As a result, open-source users will be better-protected when using an alternative to proprietary software, meaning that open source wins out, not only on grounds of efficiency, freedom and cost, but in regards to comprehensive risk management as well."
The entire issue of Linux IP caught fire for businesses when The SCO Group Inc., asserting that Linux infringes its Unix IP claims, began to sue companies that use Linux.
Can OSRM deliver? While Egger has told eWEEK.com that OSRM has worked with IP attorneys to develop its plans, not everyone is sure that it has a viable business plan. Philip H. Albert, intellectual property attorney, open-source software specialist and partner in the San Francisco office of Townsend and Townsend and Crew LLP, says, "My first impression is that no insurance company would insure an open-ended risk, at least not for significantly less than the $700 per copy being asked [by] SCO. However, the more interesting part is the due diligence that OSRM will have to do behind the scenes. If they do provide at least an approximate provenance of the Linux code, that will be useful in itself. I can see companies leaning toward Linux versions that have such provenances, but the big question for OSRM is how to make money off that."
Check out eWEEK.coms Linux & Open Source Center at http://linux.eweek.com for the latest open-source news, reviews and analysis.