Getting a Handle on Open-Source Compliance

There’s no such thing as a free lunch, right? And if someone offers you one, immediately you start looking for the catch.

What about open-source software? It’s free, right? What’s the catch?

It turns out that there are some catches. The developers of some open-source programs prohibit anyone who uses them from monetizing the end products that incorporate them. And that very problem led one enterprising entrepreneur to build a business to address it.

Kevin Wang is the founder and CEO of FOSSA, which stands for free and open-source software analysis. Wang launched the San Francisco-based startup in 2015, and last year, on the occasion of receiving $8.5 million in Series A funding, he wrote about the impetus.

“FOSSA was born out of my own reactions as a developer to the need for open source while satisfying compliance and security mandates of the teams I worked on,” Wang wrote. He built the platform initially “for developers to automatically track which open source packages they used and manage the thousands of license obligation they came with.”

After he released the scanning tool as open source itself, thousands of developers ran over 10 million scans. “The data we gathered painted a clear opportunity in the enterprise,” he added. In fact, as it’s turned out, it painted more than one.


Xin Ding heads FOSSA’s product management. During a recent briefing, he gave us an overview of why open source is central to software development. And how FOSSA helps lawyers sleep better.

These days, he said, everyone uses some open source. Maybe 90 percent of new software contains it, he estimated. Writing code from scratch takes too much time. Open source starts you with a stamp of approval and validation. And it’s free.

But companies need to check the software licenses. Some licenses are permissive, Ding said. They give you free reign to use the software as you wish. But copyleft licenses are different. Unlike copyrights, which allow owners to charge for the right to use licensed code, copylefts allow developers to use software without charge—but the final product they are developing must also be available for free. This means that products built with copyleft licenses can’t be monetized, Ding said.

So knowing what’s under the hood is essential. And these days, that’s a lot more difficult than it used to be. The distribution market has changed. Years ago companies would release software every year, or maybe every other year with an update in between. Now, Ding pointed out, there are frequent updates—sometimes multiple times a week. It’s a continuous delivery model that pushes fixes and updates any time. And they can be automatically delivered without disturbing users.

Who are the people most often concerned by this state of affairs? The general counsel, Ding said. Most of them know they may have a licensing problem. But they’re often at a loss to know what to do.

Some GCs try to get answers from the engineers. They ask them to fill a spreadsheet with all of the open-source software and licenses. But that’s nearly impossible, Ding said. The engineers don’t know. They can’t keep up with the updates and the software behind the scenes. They know that their company uses React, Ding said, but they don’t know the 10 programs React uses.

If the GC is lucky, the engineers will take a shot. And maybe turn in some sort of list a few weeks later. And they can both pretend that the problem is solved. But often the GC is “scared to ask how accurate the spreadsheet is,” Ding added.

The other licensing nightmare a company’s lawyers sometimes worry about is M&A acquisitions. As difficult as it is to get a handle on your own company’s license inventory, how are you supposed to find out the status of another company’s stockpile? And how accurate will their estimate be?


For most companies, it’s just not possible to inventory licenses manually, Ding said. FOSSA automates it. They focus on the compliance problem. The GC sets the company’s licensing policy in the program. FOSSA scans to check the open-source software the company is running. And then checks the status of the licenses. The platform scans the company’s entire inventory and compiles a complete record—or as complete as possible. And every time there’s a software update, a compliance scan follows.

That was the first solution the company offered. And FOSSA now reports that it’s analyzed 23 million open-source packages for more than 7,000 customers. Clearly there was an opportunity there.

In May, FOSSA rolled out a new solution, Ding said. It’s open-source vulnerability management. FOSSA aims to create an accurate inventory across all projects, and then will work to continuously identify and remediate vulnerabilities. It will do this by standardizing open-source usage, automatically enforcing policies and scanning for weaknesses.

The platform will integrate compliance into software development to avoid creating license problems in the first place. That should keep the engineers humming. And for the general counsel, who started with all of those headaches to contemplate, it sounds like there may be calmer days ahead.

One in-house lawyer sounds convinced. Patrick Lonergan, an associate general counsel for IP at the software company Zendesk, is quoted in a case study on the FOSSA website. Zendesk had an open-source management system that was built for the old model of software updates, and was overmatched by current distributions. FOSSA has provided “on-demand database and issue management capabilities” that allow the Zendesk engineering and legal teams “to seamlessly collaborate throughout the development lifecycle to maintain open-source compliance.”

Lonergan sounds like a satisfied customer: “With FOSSA, I use 99 percent less of my engineering team’s time and only require their support on issues that matter.”