Open Source Risk Management (OSRM) is offering three insurance products it says can reduce the attractiveness of lawsuits around open source. The products include corporate indemnification insurance, a collective defense program, and a legal advice subscription service for open source developers.

OSRM, a start-up with fifteen employees based in New York City, made the news in February when it hired Groklaw editor Pamela Jones as its Director of Litigation Risk Research.

According to CEO Daniel Eggers, OSRM's indemnification services are backed by reinsurance that it buys from “a number of fairly large insurance companies.” It is not, itself, an insurance company with large holdings.

OSRM uses pattern-matching technology to evaluate copyright risks in software source code, offering to indemnify anyone using code that can pass muster. Unlike Black Duck, which two weeks ago announced a software tool for copyright risk assessment, it does not plan to distribute its pattern matching software, according to Eggers.

Product 1: Indemnification

Significantly, the company says that unpatched 2.4- and 2.6 Linux source trees have passed its tests, and it is willing to indemnify anyone using them. “We have been doing our own copyright review of the Linux kernel, comparing it to different versions of Unix,” said Eggers. “To the best of our knowledge, the Linux kernel is clean and not infringing anybody's copyright.”

Eggers adds that OSRM plans to certify additional source trees soon, such as those from commercial embedded Linux distributors.

Several Linux vendors, including Novell, Red Hat, and HP, already indemnify customers, but only for original costs. “Typically, device developers get indemnifnication equal to what they've paid,” said Eggers. “But, it might cost fives times that to recall devices, if a judge ever ordered a recall.”

Eggers says even a tiny, nearly inconsequential copyright violation could result in a recall order, because embedded software is viewed as a system component and field upgrades are rarely applicable.

Eggers says the general pricing scheme for end users will be about “three percent of the maximum coverage, or about $30,000 annually for a million dollars.”

Eggers adds that OSRM is talking with a number of embedded device vendors doing custom Linux implementations about their insurance needs.

Product 2: Collective defense service

A second OSRM offering targets companies that have already received demand letters from SCO or others alleging copyright violations. “You can't get insurance once someone says they're going to sue you,” says Eggers.

Eggers says the scarcity of good open source IP rights lawyers prompted OSRM to start its collective defense program. “They need to know IP law, the details of the GPL and other open source licenses, and the history of Unix, including AT&T, Berkeley, and SCO. We've been finding a handful of people who are really well versed in these things, and are making them available for companies, so they can coordinate and have a defense that's more coherent,” said Eggers.

Eggers add that OSRM's legal panel is coordinating activities and developing a common set of defenses and documents, representing an estimated million dollars worth of value.

Several undisclosed companies have already signed up, according to Eggers. The defense service costs $100,000, annually.

Product 3: Developers' legal advice service

The third OSRM product is a legal advice service for developers priced at $250 per year. The service aims to educate open source software developers about their rights, teach them the intellectual property value of their contribution, and explain how to minimize the chance their copyright will be challenged later. According to Eggers, a typical customer would be a developer needing to get a company to acknowledge that he or she contributed code under the GPL.

Embedded angle

According to Eggers, much of the initial interest in OSRM's services has come from the embedded quarter, in part due to well-publicized cases involving embedded devices and alleged GPL violations.

“The first wave of Linux development was developing technical parity with other OSes,” said Eggers. “Now, Linux for devices is the match of any embedded operating system. Now, the war is on another ground — the legal system — and it has a totally different set of rules. In the end, you still need lawyers, guns, and money, and that's where we come in.”

 
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.