Open Source Governance

Open Source Governance is the risk management process for using open source software in commercial software products. So what is the risk in using open source software?

Open source software and risk

Open source usage has several risks, like:

  • Operational risk:

    • Missing commercial services, like support, might impact the ability to serve customers well in commercial environments;

  • Commercial risk:

    • Monetization of software products might be blocked by open source licenses;

    • Missing warranty and liability terms for software increase the warranty and liability risk for the commercial software vendor;

    • Limitation of business models and delivery models might occur if the open source license does not explicitly allow or even forbid them.

  • License attribute risk:

    • Missing or incomplete license attributes, like e.g. for sublicensing software or running software in a cloud environment;

    • Non-compliance with license terms might lead to litigations.

  • Patent litigation risk:

    • open source software might violate intellectual property rights like patents and this poses a legal risk.

Establishing open source governance

Proactive management of open source usage and open source licensing is paramount for commercial software vendors. From design to shipment of software solutions, open source governance is demanded.

Before you start with open source governance, you have to define your open source policy containing:

  • Strategic topics:
    • Risk level accepted by the management
    • Overall investment in organization, processes and tools for open source compliance
  • Tactical topics:
    • Level of management to approve open source usage
    • Frequence and intensity of governance
    • Software license tracking: Open source scan tool selection
    • Size of open source governance functions
  • Operational topics:
    • List of acceptable open source licenses based on risk level
    • Budget for Open Source Scan Tools
    • A process for governance of used open source components.

Reactive Open Source Governance

Reactive open source governance just reacts to open source components used in a commercial software and provides an evaluation if an open source use is acceptable or not. As a result, the open source component can be used or has to be removed from the product.

Proactive management of Open Source Components

An active approach to open source governance is to provide access to open source componentsfrom within development tools. The development tools allow open source components, that the company allows under the open source policy.

For more details, please consider the following book:


Title: Open Source best practices

Editor: Karl Michael Popp

ISBN: 3738619096

Publisher: Books on demand

Date published: