Insurance comes to open source

Three organizations join to unveil first policy to protect sellers and users of open source-based products.

Three organizations are teaming up to offer what they say is the first insurance policy for open source compliance to provide coverage for companies worldwide that sell products incorporating open source software or use it on their networks.

The three organizations are Open Source Risk Management (OSRM ), a risk-mitigation consultancy; a Lloyd's of London underwriter called Kiln; and Miller Insurance Services, a Lloyd's broker.

The policy will be called Open Source Compliance Insurance, and it will initially offer maximum coverage of $10 million, according to OSRM CEO Daniel Egger. A company signing up for the policy will be reimbursed if it is determined to have suffered a direct loss because software it uses or sells was found not to be in compliance with specific open source license agreements.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Three organizations are teaming up to offer what they say is the first insurance policy for open source compliance to provide coverage for companies worldwide that sell products incorporating open source software or use it on their networks.

The three organizations are Open Source Risk Management (OSRM ), a risk-mitigation consultancy; a Lloyd's of London underwriter called Kiln; and Miller Insurance Services, a Lloyd's broker.

The policy will be called Open Source Compliance Insurance, and it will initially offer maximum coverage of $10 million, according to OSRM CEO Daniel Egger. A company signing up for the policy will be reimbursed if it is determined to have suffered a direct loss because software it uses or sells was found not to be in compliance with specific open source license agreements.

The definition of a direct loss includes any revenue loss a company might incur in relation to a product containing noncompliant open source software. Another definition of a direct loss relates to any potential negative impact the discovery of noncompliant open source software may have on the value of a company's impending merger or acquisition, Egger said in a recent interview.

OSRM will act as the exclusive worldwide risk assessor and adviser for the new insurance policy, according to Matthew Hogg, intellectual-property underwriter at Kiln.

OSRM has a team of five people who carry out an open source license compliance review of a company's software. This initial risk assessment costs between $25,000 and $50,000, Egger says.

OSRM then reports to Kiln about the findings of the review, and after establishing the company's risk profile, draws up the insurance policy. "The review firms up the facts that we've looked at it and believe in the position," Hogg says. "The buck [then] stops with the insurance company."

In its compliance review, OSRM uses its Silhouette methodology. Egger says OSRM's approach to determining a company's compliance differs from the compliance-assessment services offered by Black Duck Software and Palamida. "We're not in competition with them," he says. "They're about the cut and pasting [of open source software]; we're about the links [of open source software] into a company's software."

License compliance can depend on what level a proprietary application is calling into or linking to an open source piece of software, he adds. The lower a link into, say, the kernel of the open source Linux operating system, the more likely the potential for noncompliance with licenses.

Assessing compliance involves some gray areas, Egger says. For instance, one key area hotly debated in open source circles is how licenses cover software distribution, particularly in relation to Web services. Further, what some individuals consider fine behavior in relation to using an open source license, others dispute. Kiln will take on those risks for policyholders, he says.

OSRM, Kiln and Miller have not been preselling the insurance policy, but Egger says he expects to announce the first customer for the policy shortly.