Adam Kessel, principal, Fish & Richardson, P.C. presented, "Patents and Open source Known and Unknown Risks." For more information, please visit our website at www.blackducksoftware.com.
Tony Decicco, Shareholder and Leon Schwartz, Associate both from GTC Law Group & Affiliates presented "You've got your open source audit report, now what? Best practices for companies of all sizes." For more information, please visit our website at www.blackducksoftware.com
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Black Duck by Synopsys
A blow-by-blow discussion of key open source software-related issues and deal points from the point of view of buyer/investor vs. seller/investee. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to speed and smooth negotiations, avoid protracted due diligence and get better deal terms, increasing overall value.
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys
Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group
Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
A number of interesting legal developments in open source took place in 2016. We’ll examine a few of the top legal news stories and the current real-world risk of open source use as well as a discussion of defensive and offensive uses of open source.
This document provides an overview of data breaches and relevant privacy laws. It notes that data breaches appear to be increasing, with millions of records leaked in 2018 alone. Two key laws are the EU's General Data Protection Regulation (GDPR) and Network and Information Systems Directive (NISD), which establish security and breach reporting requirements. Under these laws, personal data must be kept secure, breaches must be reported, and fines for noncompliance can be substantial. The document outlines compliance obligations and considerations around open source software vulnerabilities.
Presented by Mark Radcliffe on October 12, 2016
This webinar examined the implications of recent developments in open source compliance and litigation. It touched on a series of Linux-related cases and stepped up compliance activity in Germany, in addition to current patent suits against Apache projects. The new litigation was discussed in the context of prior similar cases such as the Versata-Ameriprise case. Additionally, the webinar provided an overview of compliance best practices and how to reduce the risk of open source compliance and litigation.
Patching software is a constant challenge. The Equifax hack and subsequent FTC investigation has shown us that required patches aren’t limited to those published by commercial vendors. Open source updates are just as critical; tracing new vulnerabilities and updates to applications in which those components are used isn’t just a good practice, it’s a regulatory requirement.
A focused approach to managing open source risk is essential as the legal landscape quickly evolves, including requirements under the FTC Act, HIPAA, and the European Union’s General Data Protection Regulation (GDPR). Coupled with heightened regulatory enforcement, these requirements increase the pressures on companies to maintain data privacy and security. This session will cover common misconceptions about these requirements, and explain why open source management is essential to your overall security strategy.
Tony Decicco, Shareholder and Leon Schwartz, Associate both from GTC Law Group & Affiliates presented "You've got your open source audit report, now what? Best practices for companies of all sizes." For more information, please visit our website at www.blackducksoftware.com
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Black Duck by Synopsys
A blow-by-blow discussion of key open source software-related issues and deal points from the point of view of buyer/investor vs. seller/investee. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to speed and smooth negotiations, avoid protracted due diligence and get better deal terms, increasing overall value.
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys
Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group
Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
A number of interesting legal developments in open source took place in 2016. We’ll examine a few of the top legal news stories and the current real-world risk of open source use as well as a discussion of defensive and offensive uses of open source.
This document provides an overview of data breaches and relevant privacy laws. It notes that data breaches appear to be increasing, with millions of records leaked in 2018 alone. Two key laws are the EU's General Data Protection Regulation (GDPR) and Network and Information Systems Directive (NISD), which establish security and breach reporting requirements. Under these laws, personal data must be kept secure, breaches must be reported, and fines for noncompliance can be substantial. The document outlines compliance obligations and considerations around open source software vulnerabilities.
Presented by Mark Radcliffe on October 12, 2016
This webinar examined the implications of recent developments in open source compliance and litigation. It touched on a series of Linux-related cases and stepped up compliance activity in Germany, in addition to current patent suits against Apache projects. The new litigation was discussed in the context of prior similar cases such as the Versata-Ameriprise case. Additionally, the webinar provided an overview of compliance best practices and how to reduce the risk of open source compliance and litigation.
Patching software is a constant challenge. The Equifax hack and subsequent FTC investigation has shown us that required patches aren’t limited to those published by commercial vendors. Open source updates are just as critical; tracing new vulnerabilities and updates to applications in which those components are used isn’t just a good practice, it’s a regulatory requirement.
A focused approach to managing open source risk is essential as the legal landscape quickly evolves, including requirements under the FTC Act, HIPAA, and the European Union’s General Data Protection Regulation (GDPR). Coupled with heightened regulatory enforcement, these requirements increase the pressures on companies to maintain data privacy and security. This session will cover common misconceptions about these requirements, and explain why open source management is essential to your overall security strategy.
Companies are constantly seeking ways to ensure their application code is secure and effectively managed. For example, M&A assessors conduct one-time code audits on companies they are buying to avoid legal, operational or security pitfalls. Other organizations are proactive, using an ongoing solution to make sure their application code is secure and well managed on a day-to-day basis. Increasingly, many companies are opting to use both approaches.Join Bob Genshaft, Director Strategic Programs at Wolters Kluwer, and Black Duck's VP and General Manager On-Demand Audits Phil Odence for a discussion that will address key open source security and management questions:
· When is it appropriate to conduct an audit?
When should your company consider an ongoing solution?
· What are the benefits of doing both?
. What does an effective Open Source Policy look like?
This presentation from AppSec 2016 covers video game security and hacking video games including how to analyze your business risk, common attacks and protection, and specific tactics to lower your risk.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Securing and automating your application infrastructure meetup 23112021 blior mazor
Stay safe, grab your favorite food and join us virtually for our upcoming "Securing and Automating your application infrastructure" meetup to hear about the vast changes modern application deployment, application security in containers, ways to find vulnerabilities in your code and how to protect your application infrastructure.
This document provides guidance on avoiding procuring intellectual property (IP) when doing procurement. It discusses:
1) Different IP rights that can apply simultaneously, such as patents, copyrights, and trademarks.
2) Using agreements as an "early warning system" to specify deliverables, IP ownership, and audit rights to prevent issues around customized work and subcontractors.
3) Recommendations for indemnities, damages, joint IP ownership, and protecting customer IP in outsourcing and cloud computing arrangements.
BSIMM-V: The Building Security In Maturity ModelCigital
The document describes the Building Security In Maturity Model (BSIMM), which is a descriptive model for measuring software security practices. It provides an overview of BSIMM, including that it is based on data from 67 organizations and contains 161 distinct security measurements across 4 domains and 12 practices. It also discusses how BSIMM can be used as a benchmark to track security improvements over time and compare organizations.
The document discusses various methods for securing client devices and applications. It describes securing the client by using hardware system security, securing the operating system software, and protecting peripheral devices. Specific techniques discussed include secure booting using UEFI and secure boot standards, establishing a hardware root of trust, preventing electromagnetic spying, and addressing risks from supply chain infections. The document also covers securing the operating system through configuration, patch management, and using antimalware software like antivirus, antispam, and antispyware programs.
The document discusses risk mitigation strategies for network security. It covers assessing threats through formal threat assessments that examine the likelihood and seriousness of potential threats. Risk assessments involve testing systems for vulnerabilities, managing changes to systems, auditing user privileges, and planning for incident response. The document outlines approaches to calculating risk both qualitatively and quantitatively by evaluating the likelihood and potential impact of risks based on historical data from sources like police, insurance companies, and computer incident monitoring organizations. Effective risk mitigation involves knowing potential threats, assessing related risks, and implementing strategies to reduce vulnerabilities and consequences.
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
The General Data Protection Regulation (GDPR) has arrived!
One monumental change is the introduction of Privacy by Design. In this keynote we will focus on the Privacy by Design (PbD) implications for developers.
Two cornerstones for a successful implementation of PbD will be pitched: 1) the integration of GDPR in a Secure Development Lifecycle approach 2) threat modeling and GDPR risk patterns
This document summarizes strategies for web application security. It discusses options like annual penetration tests, ongoing assessments, source code reviews, secure coding training, and using a web application firewall. It provides case studies of implementing these strategies at different organizations like a dotcom company, BFSI client, financial products company, and telco. It analyzes the outcomes at each organization and identifies common lessons. Finally, it outlines strategic options and common elements of an effective security strategy.
Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source Insight!
This document discusses advanced cryptography and public key infrastructure (PKI). It covers implementing cryptography, including key strength, algorithms, and cryptographic service providers. It also defines digital certificates, describing how they are used to verify identity through a trusted third party. Finally, it examines the components of PKI, including certificate authorities, digital certificate formats and types, and certificate management protocols.
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
This document provides a summary of cybersecurity and open source news stories from March 2nd. It discusses the need to incorporate application security practices into the DevOps process. It also looks at deciding between open source and proprietary software based on factors like code transparency and vendor support. Additionally, it reports that one in eight open source components contain security flaws and explains why enterprises need a comprehensive software security program rather than isolated security activities. Finally, it provides answers to frequently asked questions about the GDPR regulation and notes unexpected places where GDPR-related data can be found.
BSIMM: Bringing Science to Software SecurityCigital
There is an old management adage that says “You can’t manage what you don’t measure.” The Building Security in Maturity Model (BSIMM) applies scientific principles to the field of software security to effectively measure security activities across industries and business units. The BSIMM enables experts like you to discover what exists in the application security universe, how those things work today, how they worked in the past and how they are likely to work in the future.
During a recent webinar, West Monroe discussed, "The State of Open Source in M&A Transactions."
Based extensive experience in M&A, West Monroe Partners is on the front line when it comes to tech due diligence, and they’ve seen a few trends emerge when it comes to open source and M&A deals. Buyers and seller alike need to understand these trends to get the most value out of any transaction.
For more information, please visit our website at www.synopsys.com/open-source-audit
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
Securing Voting Infrastructure before the Mid-Term ElectionsDenim Group
The prospect of nation state interference with our 2018 mid-term elections is a reality that secretaries of state are facing. Given the fast-changing nature of the threat and the sprawling election infrastructure across the country, how are state officials securing their voting systems and databases in anticipation of the election? What are emerging strategies given the limited resources and unlimited needs? Where are the most vulnerable parts of the election systems and where should state officials focus their efforts given the potential for disruption? This webinar will provide an attacker’s view of a typical state-run election system and will make recommendations where to focus limited time and resources in the run up of the 2018 mid-term election in November.
This document discusses the intersection of blockchain technology, open source software, and patents. Some key points include:
1) Open source licenses can "taint" proprietary software if they are combined, requiring the proprietary software to also be open source. This impacts business models.
2) Open source software can still be patented. Patents are an important issue to consider with open source use and contributions.
3) Certain open source licenses require licensees to grant patent licenses, sometimes broadly, which many organizations do not expect.
4) Asserting patent claims against open source users can trigger penalties under some licenses, such as losing the right to use the open source software.
5) Network access models
Companies are constantly seeking ways to ensure their application code is secure and effectively managed. For example, M&A assessors conduct one-time code audits on companies they are buying to avoid legal, operational or security pitfalls. Other organizations are proactive, using an ongoing solution to make sure their application code is secure and well managed on a day-to-day basis. Increasingly, many companies are opting to use both approaches.Join Bob Genshaft, Director Strategic Programs at Wolters Kluwer, and Black Duck's VP and General Manager On-Demand Audits Phil Odence for a discussion that will address key open source security and management questions:
· When is it appropriate to conduct an audit?
When should your company consider an ongoing solution?
· What are the benefits of doing both?
. What does an effective Open Source Policy look like?
This presentation from AppSec 2016 covers video game security and hacking video games including how to analyze your business risk, common attacks and protection, and specific tactics to lower your risk.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Securing and automating your application infrastructure meetup 23112021 blior mazor
Stay safe, grab your favorite food and join us virtually for our upcoming "Securing and Automating your application infrastructure" meetup to hear about the vast changes modern application deployment, application security in containers, ways to find vulnerabilities in your code and how to protect your application infrastructure.
This document provides guidance on avoiding procuring intellectual property (IP) when doing procurement. It discusses:
1) Different IP rights that can apply simultaneously, such as patents, copyrights, and trademarks.
2) Using agreements as an "early warning system" to specify deliverables, IP ownership, and audit rights to prevent issues around customized work and subcontractors.
3) Recommendations for indemnities, damages, joint IP ownership, and protecting customer IP in outsourcing and cloud computing arrangements.
BSIMM-V: The Building Security In Maturity ModelCigital
The document describes the Building Security In Maturity Model (BSIMM), which is a descriptive model for measuring software security practices. It provides an overview of BSIMM, including that it is based on data from 67 organizations and contains 161 distinct security measurements across 4 domains and 12 practices. It also discusses how BSIMM can be used as a benchmark to track security improvements over time and compare organizations.
The document discusses various methods for securing client devices and applications. It describes securing the client by using hardware system security, securing the operating system software, and protecting peripheral devices. Specific techniques discussed include secure booting using UEFI and secure boot standards, establishing a hardware root of trust, preventing electromagnetic spying, and addressing risks from supply chain infections. The document also covers securing the operating system through configuration, patch management, and using antimalware software like antivirus, antispam, and antispyware programs.
The document discusses risk mitigation strategies for network security. It covers assessing threats through formal threat assessments that examine the likelihood and seriousness of potential threats. Risk assessments involve testing systems for vulnerabilities, managing changes to systems, auditing user privileges, and planning for incident response. The document outlines approaches to calculating risk both qualitatively and quantitatively by evaluating the likelihood and potential impact of risks based on historical data from sources like police, insurance companies, and computer incident monitoring organizations. Effective risk mitigation involves knowing potential threats, assessing related risks, and implementing strategies to reduce vulnerabilities and consequences.
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
The General Data Protection Regulation (GDPR) has arrived!
One monumental change is the introduction of Privacy by Design. In this keynote we will focus on the Privacy by Design (PbD) implications for developers.
Two cornerstones for a successful implementation of PbD will be pitched: 1) the integration of GDPR in a Secure Development Lifecycle approach 2) threat modeling and GDPR risk patterns
This document summarizes strategies for web application security. It discusses options like annual penetration tests, ongoing assessments, source code reviews, secure coding training, and using a web application firewall. It provides case studies of implementing these strategies at different organizations like a dotcom company, BFSI client, financial products company, and telco. It analyzes the outcomes at each organization and identifies common lessons. Finally, it outlines strategic options and common elements of an effective security strategy.
Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source Insight!
This document discusses advanced cryptography and public key infrastructure (PKI). It covers implementing cryptography, including key strength, algorithms, and cryptographic service providers. It also defines digital certificates, describing how they are used to verify identity through a trusted third party. Finally, it examines the components of PKI, including certificate authorities, digital certificate formats and types, and certificate management protocols.
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
This document provides a summary of cybersecurity and open source news stories from March 2nd. It discusses the need to incorporate application security practices into the DevOps process. It also looks at deciding between open source and proprietary software based on factors like code transparency and vendor support. Additionally, it reports that one in eight open source components contain security flaws and explains why enterprises need a comprehensive software security program rather than isolated security activities. Finally, it provides answers to frequently asked questions about the GDPR regulation and notes unexpected places where GDPR-related data can be found.
BSIMM: Bringing Science to Software SecurityCigital
There is an old management adage that says “You can’t manage what you don’t measure.” The Building Security in Maturity Model (BSIMM) applies scientific principles to the field of software security to effectively measure security activities across industries and business units. The BSIMM enables experts like you to discover what exists in the application security universe, how those things work today, how they worked in the past and how they are likely to work in the future.
During a recent webinar, West Monroe discussed, "The State of Open Source in M&A Transactions."
Based extensive experience in M&A, West Monroe Partners is on the front line when it comes to tech due diligence, and they’ve seen a few trends emerge when it comes to open source and M&A deals. Buyers and seller alike need to understand these trends to get the most value out of any transaction.
For more information, please visit our website at www.synopsys.com/open-source-audit
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
Securing Voting Infrastructure before the Mid-Term ElectionsDenim Group
The prospect of nation state interference with our 2018 mid-term elections is a reality that secretaries of state are facing. Given the fast-changing nature of the threat and the sprawling election infrastructure across the country, how are state officials securing their voting systems and databases in anticipation of the election? What are emerging strategies given the limited resources and unlimited needs? Where are the most vulnerable parts of the election systems and where should state officials focus their efforts given the potential for disruption? This webinar will provide an attacker’s view of a typical state-run election system and will make recommendations where to focus limited time and resources in the run up of the 2018 mid-term election in November.
This document discusses the intersection of blockchain technology, open source software, and patents. Some key points include:
1) Open source licenses can "taint" proprietary software if they are combined, requiring the proprietary software to also be open source. This impacts business models.
2) Open source software can still be patented. Patents are an important issue to consider with open source use and contributions.
3) Certain open source licenses require licensees to grant patent licenses, sometimes broadly, which many organizations do not expect.
4) Asserting patent claims against open source users can trigger penalties under some licenses, such as losing the right to use the open source software.
5) Network access models
Open Source Licensing: Types, Strategies and ComplianceAll Things Open
Presented by: Jeff Luszcz, ZebraCatZebra
Presented at All Things Open 2020
Abstract: Open Source powers the world, but you need to do more than use it.
In this talk we will provide background on the most common types of open source licenses, business models, security issues and the processes required to help you remain secure and in compliance. We will discuss best practices, scanning tools, remediation, customer and partner expectations around OSS compliance and how to manage OSS during events such as a product release or M&A.
This slidedeck is the second in a series of presentations on legal issues on open source licensing by Karen Copenhaver of Choate Hall and Mark Radcliffe of DLA Piper. To view the webinars, please go to http://www.blackducksoftware.com/files/legal-webinar-series.html. You may also want to visit my blog which frequently deals with open source legal issues http://lawandlifesiliconvalley.com/blog/
Open source licenses can be more than a little confusing for those of us that just want to write a little bit of code. However, with open source components playing such a big part in the products that we create, open source licenses and compliance simply can’t be ignored.
We’ve compiled the one stop resource guide for working compliantly with open source components, including answers to FAQs about the most popular licenses in 2018. Read all about the hottest licensing trends that you need to be following and some predictions for 2019.
Open source software is growing, especially in IoT, but there is little understanding of license obligations. This presentation provides best practices for using open source software safely and effectively. It discusses open source licenses including GPL, LGPL, MIT and their terms. It emphasizes the importance of compliance to avoid liability issues seen in court cases. Developers must understand which licenses are acceptable and how to identify and address license requirements for all code used.
More than ever, open source software is at the heart of modern online businesses and technology companies. Open source is nearly everywhere: web browsers, smartphones, home wireless routers, databases, web servers, and countless components of free, commercial, and large enterprise software. But most open source software comes with strings attached, and if misunderstood, they can trip up the unwary.
Recently Ansel Halliburton held a webinar to discuss the common pitfalls in open source licensing, and the best practices for avoiding them.
More than ever, open source software is at the heart of modern online businesses and technology companies. Open source is nearly everywhere: web browsers, smartphones, home wireless routers, databases, web servers, and countless components of free, commercial, and large enterprise software. But most open source software comes with strings attached, and if misunderstood, they can trip up the unwary.
Topics:
• The most common sources of non-compliance with open source licenses
• The key differences between the most popular licenses
• The basis in intellectual property law for open source licensing
• How courts in the US and abroad have enforced open source licenses
These slides are from a webinar by attorney Ansel Halliburton on September 22, 2015.
This document provides an overview of open source software licenses and Creative Commons licenses. It begins with an introduction to common open source licenses including the MIT, Apache, MPL, GPL and AGPL licenses. Key terms are defined and the requirements, permissions and prohibitions of each license are outlined. Hypothetical situations involving a student developing an app using open source code are presented. The document also covers Creative Commons licenses, outlining the different conditions and combinations of licenses. A hypothetical involving a client with educational YouTube videos is used to demonstrate advising on appropriate Creative Commons licenses. Links to more information on the different licenses are provided.
OSSF 2018 - Jilayne Lovejoy - Training: Intro to Open SourceFINOS
The document provides an overview of intellectual property law as it relates to open source software. It discusses trademarks, patents, copyright, and licenses. It defines open source software as both a development model that allows modification and a legal construct implemented through copyright licenses. The document outlines different open source license types and considerations for using and engaging with open source software, including license compliance, contributions, and creating open source projects.
Open source is gleefully rewriting the rules of IT development at all levels of industry and government. Adoption of open source in government is well underway, with success stories illustrating the benefits.
This decade we are going further - fostering a healthy, sustainable, working relationship between government and open source:
* This presentation digs into the flexibility of open source licensing and how government organizations can meet the challenges of developing with open source.
* We will look at the advantages of government participation in open source at the project, institutional, and foundation level.
Attend this talk to understand how your organization cannot only benefit from open source, but be open source.
This document summarizes legal and other issues related to the use of open source software. It defines key terms like proprietary software, open source software, and freeware. It discusses and compares licensing terms for proprietary vs open source software. It notes advantages and disadvantages of each for procurement purposes. It provides guidance on sharing software within the Commonwealth while complying with licensing terms. It emphasizes the importance of conducting best value procurement that considers technical, legal and business factors for both proprietary and open source options.
This document summarizes legal and other issues related to the use of open source software. It defines key terms like proprietary software, open source software, and freeware. It discusses and compares licensing terms for proprietary vs open source software. It notes advantages and disadvantages of each for issues like cost, modifications, standards, and support. It provides guidance on sharing and procuring software following best value practices in Massachusetts.
The document provides an overview of open source licensing. It defines open source software as software with an open source license that gives users the rights to use, modify, and distribute the software as well as access its source code. Prominent open source programs and vendors are listed. The history and roles of the Open Source Initiative (OSI) and Open Source Definition (OSD) are described. Common open source licenses like the GPL, BSD, and Mozilla licenses are outlined and compared. The risks and benefits of open source software are briefly discussed.
This document discusses legal and other issues related to using open source software. It defines key terms like proprietary software, open source software, and freeware. Both proprietary and open source software have advantages and disadvantages to consider. When sharing or procuring software within the Commonwealth, open source licenses and ownership of the software must be reviewed. A best value analysis is required for procurement to assess risks and benefits of different software options. Resources for comparing open source licenses and the Commonwealth's IT policies are provided.
Open Source Licensing Fundamentals for Financial ServicesFINOS
Andrew Hall, The Hall Law Firm: Open Source Licensing Fundamentals for Financial Services.
Andrew and Lena will address fundamental concepts of open-source licensing to assist executives in better understanding the benefits, obligations, restrictions, and risks involved in leveraging and contributing to open-source solutions and incorporating open-source licensing into commercial strategies.
The discussion will include: an overview of the different categories of open-source licenses (such as copyleft, prohibitive, and permissive); the obligations and restrictions commonly associated with the use of open-source software; the “copyleft,” “tainting,” or “viral” effect of copyleft licenses; community and private open-source license enforcement trends; and the adoption of open-source software and licensing in support of commercial product and service offerings.
Open Source Software: An Edge For Your Growing BusinessPromet Source
This document provides an overview of open source software, including defining it, discussing its uses and restrictions, and how businesses can generate revenue from open source software. Open source software is subject to an open source license that requires access to source code and allows modifications and redistribution. It has advantages for businesses like lower costs, avoidance of vendor lock-in, and greater adaptability. However, it also has restrictions like requiring access to source code and allowing further modifications. The document discusses open source licenses like GPL in more detail and addresses common questions about open source software.
OSS licenses and the Eclipse Public LicensePhilippe Krief
This document provides a summary of open source software licenses and the Eclipse Public License. It begins with introductory information about the presenters and scope of the content. It then discusses key aspects of open source licenses including the open source definition, intellectual property law as it relates to software, characteristics of software licenses such as definitions and grant of rights. Specific licenses are compared including permissive, weak copyleft and strong copyleft models.
Presented by Brooks Kushman and Rogue Wave Software at the Embedded Systems Conference. It provides both legal and practical considerations in developing embedded systems using open source software (OSS). It discusses open source development tools, how to integrate OSS into embedded systems and different OSS licenses, and provide a road map to compliance.
Similar to Flight East 2018 Presentation–Patents and Open Source Known and Unknown Risks (20)
Die Zeiten ändern sich und verlangen immer mehr Aufmerksamkeit. Dies trifft speziell im Bereich Open-Source-Software zu. Die Komplexität gerade in der Technologiebranche ist enorm, gerade wenn der Sicherheitsaspekt eine wichtige Rolle spielt.
Die Nutzung von Open-Source ist bereits beachtlich und nimmt stetig zu. Im Vergleich zum letzten Jahr ist die Anzahl der Unternehmen, die OSS verwenden enorm gestiegen. In Deutschland setzen 69% der befragten Unternehmen OSS ein und der Trend steigt stetig. Im globalen Vergleich verwenden laut des OSSRA Berichts 2019 (Open Source Sicherheits-und Risikoanalyse) 60% der befragten Unternehmen Open Source im analysierten Code im Jahr 2018; eine 3%ige Steigerung zum Vorjahr.
During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
For more information, please visit our website at www.synopsys.com/software
This annual review will highlight the most significant legal developments related to open source software in 2019, including:
•Evolution of open source: control, sustainability, and politics
•Litigation update: Cambium and Artifex cases
•Patents and the open source community
•Impacts of government sanctions
•The shift left for compliance and rise of bug bounty programs
•And much, much more
For more information, please visit https://www.synopsys.com/software-integrity/managed-services/open-source-software-audit.html
Today’s security professionals and software developers not only have to do more in less time; they have to do it securely. This means mitigating risk and addressing compliance requirements in an environment where:
• The threat landscape continues to evolve.
• Application portfolios and their risk profiles continue to shift.
• Security tools are difficult to deploy, configure, and integrate into workflows.
• Consumption models continue to change.
How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering.
Today’s security professionals and software developers not only have to do more in less time; they have to do it securely. This means mitigating risk and addressing compliance requirements in an environment where:
• The threat landscape continues to evolve.
• Application portfolios and their risk profiles continue to shift.
• Security tools are difficult to deploy, configure, and integrate into workflows.
• Consumption models continue to change.
How can your internal resources keep pace in this dynamic environment? Managed application security testing can be just the relief valve your organization needs. In this webinar, we’ll discuss the need for managed application security testing, the sweet spots where it offers maximum value, what you should look for in a managed application security testing provider, and highlights from Synopsys’ Managed Services offering.
For more information, please visit our website at https://www.synopsys.com/software-integrity/managed-services.html
During a recent webinar, Jonathan Knudsen presented: "That's Not How This Works: All Development Should Be Secure."
Development teams are pressured to push new software out quickly. But with speed comes risk. Anyone can write software, but if you want to create software that is safe, secure, and robust, you need the right process. Webinar attendees will learn:
• Why traditional approaches to software development usually end in tears and heartburn
• How a structured approach to secure software development lowers risk for you and your customers
• Why automation and security testing tools are key components in the implementation of a secure development life cycle
For more information, please visit our website at www.synopsys.com/software-integrity.html
Companies’ use of open source software has surpassed the occasional and solidified itself as the mainstream. Effectively identifying and managing the compliance and security risks associated with open source software can be a difficult task. Whether a company is acquiring another company, preparing for acquisition or simply wanting to manage their use of open source, the universal first step is to figure out the composition of the code, often via an audit. But what do you do once you have the audit report?
For more information, please visit our website at https://www.synopsys.com/open-source-audit
During a recent webinar, Lewis Ardern, senior security consultant presented "OWASP Top 10 for JavaScript Developers."
19_10_EMEA_WB_Owasp Top 10 for Java Script Developers With the release of the OWASP Top 10 2017, we saw new contenders for the most critical security issues in the web application landscape. Much of the OWASP documentation concerning issues, remediation advice, and code samples focuses on Java, C++, and C#. However, it doesn’t give much attention to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the growing use of Node.js and its libraries and frameworks. This talk will introduce you to the OWASP Top 10 by explaining JavaScript client and server-side vulnerabilities.
For more information, please visit our website at www.synopsys.com/standards
Vulnerabilities are an inevitable part of software development and management. Whether they’re in open source or custom code, new vulnerabilities will be discovered as a codebase ages. As stated in the 2019 Open Source Security and Risk Analysis report, 60% of the codebases audited in 2018 contained at least one known vulnerability. As the number of disclosures, patches, and updates grows, security professionals must decide which critical items to address immediately and which items to defer.
For more information, please visit our website at www.synopsys.com/software.
Dan Sturtevant, Silverthread and Niles Madison at Synopsys discussed design quality and code quality on a recent webinar.
In an acquisition where a software asset is a core part of the deal valuation, it’s important to understand the overall quality of the software prior to doing the deal. Buggy software is problematic and needs to be cleaned up, so assessing code quality is important. But also, with poorly designed software, every fix is costly and laborious. This can significantly impact the long-term viability of the application, and maintaining that software can seriously degrade ROI. That’s why understanding a software system’s design or architectural health and the likely 'cost of ownership' is key..
For more information, please visit our website at https://www.synopsys.com/open-source-audit
During a recent webinar, Andrew Vanderstock, senior principal consultant at Synopsys presented "Using Evidence-Based Security in Your Secure Development Life Cycle." For more information on our products and services, please visit our website at www.synopsys.com/software.
The Synopsys Cybersecurity Research Center (CyRC) has a dedicated team of security analysts who specialize in sourcing, curating, and analyzing open source software vulnerabilities. The team delivers a customer-focused vulnerability feed comprising open source vulnerability reports called BDSAs (Black Duck Security Advisories). These reports are timely, accurate, and packed with relevant actionable information.
In this webinar, Siobhan Hunter, security research lead, reveals why the high-quality content of the BDSA feed is best in class, with examples of how our BDSA feed compares with the NVD and insights into how we discover and deliver valuable vulnerability information for our customers every day. For more information, please visit our website at https://www.synopsys.com/cyrc
This document summarizes a study on why investing in application security (appsec) matters for financial services organizations. The study found that over 50% of financial services firms had experienced theft of customer data due to insecure software. It also found that on average, only 34% of financial software and technology is tested for cybersecurity vulnerabilities. While addressing cybersecurity risks is important, the study noted that financial organizations face resource constraints, with only 45% believing they have adequate budgets for security and only 38% having necessary security skills. The document promotes the software integrity tools offered by Synopsys to help organizations build more secure software faster and address these challenges.
Virtually every organization uses open source software, and lots of it, to create efficiencies in software development. But left unmanaged, open source can introduce legal, IP, compliance, and other risks for the business. With over 2,500 different licenses in use, legal professionals and technical managers need to understand the license obligations associated with open source and how to mitigate risks. For more information, please visit our website at www.synopsys.com/open-source-audit
In the past few years, cybersecurity has become more intertwined into each step of the automotive development process. In particular, fuzz testing has proven to be a powerful approach to detect unknown vulnerabilities in automotive systems. However, with limited instrumentation, especially on systems such as in-vehicle infotainment (IVI) system and telematics units, there are several types of issues that go undetected, such as memory leaks and cases where the application crashes but restarts quickly. For more information, please visit www.synopsys.com/auto
During a recent webinar attendees learned how a purpose-built M&A open source audit differs from open source management tools and why it matters in tech due diligence. We covered: • The types of risk around open source software • Why depth of analysis matters, and what it results in during M&A diligence • Why accuracy, reporting, and expert human analysis are keys to thorough diligence.
For more information, please visit our website at www.synopsys.com/open-source-audit
Lysa Bryngelson, Sr. Product Manager for Black Duck Binary Analysis at Synopsys presented on a recent webinar. During the webinar, she discussed one of the biggest challenges companies face with third-party software is lack of visibility into the open source libraries used in the software they embed in their products. Over the last year, major security breaches have been attributed to exploits of vulnerabilities in open source frameworks used by Fortune 100 companies in education, government, financial services, retail, and media. For more information, please visit our website at www.synopsys.com/blackduck
Alors que l’adoption de DevOps pour des organisations Agile était une transition naturelle, le passage à DevSecOps a introduit de nouveaux défis. DevSecOps nécessite un changement important de mentalité et de culture d'entreprise pour intégrer les nouveaux outils et les nouvelles activités de sécurité. C’est la raison pour laquelle suivre le rythme d’Agile et la culture DevOps lors de l’introduction de la sécurité dans le cycle de développement logiciel (SDLC) est un défit pour de nombreuses entreprises.
Dans ce webinaire, Cem Nisanoglu explore le modèle opérationnel de DevSecOps et souligne l'importance de la gestion des changements, de l'automatisation, et des indicateurs de sécurité dans une transition vers DevSecOps, ainsi que la manière dont ces activités peuvent contribuer à la formation de sécurité, à des cycles de release plus rapides, et à l'optimisation des budgets de sécurité dans l’entreprise.
Tim Mackey is a principal security strategist with the Synopsys Cybersecurity Research Center(CyRC). Within this role, he engages with various technical and business communities to understand how application security is evolving with ever-expanding attack surfaces and increasingly sophisticated threats. He specializes in container security, virtualization, cloud technologies, distributed systems engineering, mission critical engineering, performance monitoring, and large-scale data center operations. Tim takes the lessons learned from these activities and delivers talks globally at conferences like RSA, KubeCon and InfoSec. For more information, please visit www.synopsys.com/software.
During a recent webinar, Tim Mackey, Principal Security Strategist with the Synopsys Cyber Research Center discussed how to streamline the tech due diligence process.
For more information, please visit our website at www.synopsys.com/open-source-audit
During a recent webinar, Thomas Richards, Network Security and Red Team Practice Director with Synopsys discussed security tool misconfiguration and abuse.
For more information, please visit our website at www.synopsys.com/software
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...kalichargn70th171
Visual testing plays a vital role in ensuring that software products meet the aesthetic requirements specified by clients in functional and non-functional specifications. In today's highly competitive digital landscape, users expect a seamless and visually appealing online experience. Visual testing, also known as automated UI testing or visual regression testing, verifies the accuracy of the visual elements that users interact with.
What to do when you have a perfect model for your software but you are constrained by an imperfect business model?
This talk explores the challenges of bringing modelling rigour to the business and strategy levels, and talking to your non-technical counterparts in the process.
Consistent toolbox talks are critical for maintaining workplace safety, as they provide regular opportunities to address specific hazards and reinforce safe practices.
These brief, focused sessions ensure that safety is a continual conversation rather than a one-time event, which helps keep safety protocols fresh in employees' minds. Studies have shown that shorter, more frequent training sessions are more effective for retention and behavior change compared to longer, infrequent sessions.
Engaging workers regularly, toolbox talks promote a culture of safety, empower employees to voice concerns, and ultimately reduce the likelihood of accidents and injuries on site.
The traditional method of conducting safety talks with paper documents and lengthy meetings is not only time-consuming but also less effective. Manual tracking of attendance and compliance is prone to errors and inconsistencies, leading to gaps in safety communication and potential non-compliance with OSHA regulations. Switching to a digital solution like Safelyio offers significant advantages.
Safelyio automates the delivery and documentation of safety talks, ensuring consistency and accessibility. The microlearning approach breaks down complex safety protocols into manageable, bite-sized pieces, making it easier for employees to absorb and retain information.
This method minimizes disruptions to work schedules, eliminates the hassle of paperwork, and ensures that all safety communications are tracked and recorded accurately. Ultimately, using a digital platform like Safelyio enhances engagement, compliance, and overall safety performance on site. https://safelyio.com/
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
🏎️Tech Transformation: DevOps Insights from the Experts 👩💻campbellclarkson
Connect with fellow Trailblazers, learn from industry experts Glenda Thomson (Salesforce, Principal Technical Architect) and Will Dinn (Judo Bank, Salesforce Development Lead), and discover how to harness DevOps tools with Salesforce.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
React.js, a JavaScript library developed by Facebook, has gained immense popularity for building user interfaces, especially for single-page applications. Over the years, React has evolved and expanded its capabilities, becoming a preferred choice for mobile app development. This article will explore why React.js is an excellent choice for the Best Mobile App development company in Noida.
Visit Us For Information: https://www.linkedin.com/pulse/what-makes-reactjs-stand-out-mobile-app-development-rajesh-rai-pihvf/
Stork Product Overview: An AI-Powered Autonomous Delivery FleetVince Scalabrino
Imagine a world where instead of blue and brown trucks dropping parcels on our porches, a buzzing drove of drones delivered our goods. Now imagine those drones are controlled by 3 purpose-built AI designed to ensure all packages were delivered as quickly and as economically as possible That's what Stork is all about.
Building API data products on top of your real-time data infrastructureconfluent
This talk and live demonstration will examine how Confluent and Gravitee.io integrate to unlock value from streaming data through API products.
You will learn how data owners and API providers can document, secure data products on top of Confluent brokers, including schema validation, topic routing and message filtering.
You will also see how data and API consumers can discover and subscribe to products in a developer portal, as well as how they can integrate with Confluent topics through protocols like REST, Websockets, Server-sent Events and Webhooks.
Whether you want to monetize your real-time data, enable new integrations with partners, or provide self-service access to topics through various protocols, this webinar is for you!
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Paul Brebner
Closing talk for the Performance Engineering track at Community Over Code EU (Bratislava, Slovakia, June 5 2024) https://eu.communityovercode.org/sessions/2024/why-apache-kafka-clusters-are-like-galaxies-and-other-cosmic-kafka-quandaries-explored/ Instaclustr (now part of NetApp) manages 100s of Apache Kafka clusters of many different sizes, for a variety of use cases and customers. For the last 7 years I’ve been focused outwardly on exploring Kafka application development challenges, but recently I decided to look inward and see what I could discover about the performance, scalability and resource characteristics of the Kafka clusters themselves. Using a suite of Performance Engineering techniques, I will reveal some surprising discoveries about cosmic Kafka mysteries in our data centres, related to: cluster sizes and distribution (using Zipf’s Law), horizontal vs. vertical scalability, and predicting Kafka performance using metrics, modelling and regression techniques. These insights are relevant to Kafka developers and operators.
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...The Third Creative Media
"Navigating Invideo: A Comprehensive Guide" is an essential resource for anyone looking to master Invideo, an AI-powered video creation tool. This guide provides step-by-step instructions, helpful tips, and comparisons with other AI video creators. Whether you're a beginner or an experienced video editor, you'll find valuable insights to enhance your video projects and bring your creative ideas to life.
Transforming Product Development using OnePlan To Boost Efficiency and Innova...OnePlan Solutions
Ready to overcome challenges and drive innovation in your organization? Join us in our upcoming webinar where we discuss how to combat resource limitations, scope creep, and the difficulties of aligning your projects with strategic goals. Discover how OnePlan can revolutionize your product development processes, helping your team to innovate faster, manage resources more effectively, and deliver exceptional results.
14 th Edition of International conference on computer visionShulagnaSarkar2
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
Manyata Tech Park Bangalore_ Infrastructure, Facilities and Morenarinav14
Located in the bustling city of Bangalore, Manyata Tech Park stands as one of India’s largest and most prominent tech parks, playing a pivotal role in shaping the city’s reputation as the Silicon Valley of India. Established to cater to the burgeoning IT and technology sectors
Voxxed Days Trieste 2024 - Unleashing the Power of Vector Search and Semantic...Luigi Fugaro
Vector databases are redefining data handling, enabling semantic searches across text, images, and audio encoded as vectors.
Redis OM for Java simplifies this innovative approach, making it accessible even for those new to vector data.
This presentation explores the cutting-edge features of vector search and semantic caching in Java, highlighting the Redis OM library through a demonstration application.
Redis OM has evolved to embrace the transformative world of vector database technology, now supporting Redis vector search and seamless integration with OpenAI, Hugging Face, LangChain, and LlamaIndex. This talk highlights the latest advancements in Redis OM, focusing on how it simplifies the complex process of vector indexing, data modeling, and querying for AI-powered applications. We will explore the new capabilities of Redis OM, including intuitive vector search interfaces and semantic caching, which reduce the overhead of large language model (LLM) calls.
Assure Contact Center Experiences for Your Customers With ThousandEyes
Flight East 2018 Presentation–Patents and Open Source Known and Unknown Risks
1. Patents and Open Source
Known and Unknown Risks
Adam Kessel
Principal, Fish & Richardson P.C.
2. Roadmap
• Can patents and open source coexist?
• Open source license patent provisions
• Patent (and other) risks raised by open source
• Litigation case studies
• Best practices / playbook
4. Quick Intro to Software Patents – Why Get Patents?
• Freedom of Action
• Deter attacks by operating companies
• Cross-licensing
• Out-licensing
• Counterclaims
• Deter copying by competitors
• Deter trade secret misappropriation
• Add value to business deals
• Independent profit center
• Licensing and/or sales
5. Quick Intro to Software Patents – Why Not Get Patents?
• Legal expense/uncertain ROI
• Engineering distraction
• Eliminates trade secret protection
• Shifting landscape may reduce value
• Bilski/Alice (2008/2014) – patentability questions, particularly for software
• eBay (2006) – injunctive relief harder to get
• KSR (2007) – easier to prove patents obvious
• PTAB proceedings under the America Invents Act (2012) – easier to challenge
validity, uneven playing field, litigation often stayed
• TC Heartland (2017) - patent owner has less control over venue
• Bad P.R. for some audiences, including open source community
6. Why are patents useful in open source context?
• “offensive” use
• Patent claim scope often differs from OS license scope
• Patent rights to complement copyright/license/contract/unfair competition claims to
pursue bad actors
• Dual licensing
• Against use of the invention outside the open source project (this may encourage
adoption of the open source project)
• where the invention is incorporated in open source projects but was not part
of your company’s contribution
• Inventions that are related to but not part of the contribution (or the combination of
the contribution with the work)
• Can still be sold/licensed to third parties with separate interests
7. Why are patents useful in open source context?
• “defensive” use
• All the same reasons as for offensive use; and
• If you are sued on the work you can often counterclaim on the same subject
matter
• If you stop using the open source code and don’t plan to use it again
• Prevent others from filing on same idea; create prior art and record of first
invention at Patent Office
• Particularly important in post-AIA “first to file” system
8. Can a patent owner get relief if it also practices open source?
• Royalty free cross-licensing does not preclude reasonable royalty
• Multiple networked royalty free cross-licenses, e.g., OIN, LOT, W3C, etc, that
have thrived despite the potential for similar argument in those contexts
• Injunctions are already difficult in U.S. patent litigation; any licensing, including
open-source licensing, may weigh against injunctive relief
• From a defensive perspective, where an accused infringer’s software is open
source (and thus “free”), may complicate the patent owner’s damages theory
10. Patent clauses in open-source licenses generally fall into one of three categories:
• Patent licenses (or covenants not to sue);
• Who grants the license?
Generally, only contributors (including in some cases modifying distributors or arguably pass-through distributors) -
however read the provisions of the OS license, e.g., the copyleft license, at issue.
• Which patents does the license include?
a) The contribution alone or b) The combination of the Contribution with the Work (see e.g., Apache 2.0)
• Which activities does the license allow?
• Defensive termination
• Apache 2.0 used by Apache Project, Cloud Foundry, etc
• Facebook react.js BSD+patents (deprecated in 2017)
• Other patent provisions
• GPL v3 provision regarding entering into restrictive patent licenses
• Custom patent licenses, including field of use limitations, that supplement common OS licenses
Open Source Patent Provisions
11. Open Source Patent Provisions
• Pass-through
distributor (PTD)
• Modifying distributor
(MD)
Open
Source
Code
Open
Source
Code
Contributors
PTD
Distribution
Open
Source
Code
Modified
Version
Contributors
MD
Distribution
12. Open Source Patent Provisions
Which activities does the license allow?
• Patent licenses do not typically allow:
(a) Infringement based on downstream modification to
the contributor version
(b) Infringement based on combinations of the
contributor version with other software or hardware;
and
(c) Claims infringed by the OS software without the
contribution
13. • Apache
• Subject to the terms and conditions of this License, each Contributor hereby grants to You a
perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in
this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise
transfer the Work, where such license applies only to those patent claims licensable by such
Contributor that are necessarily infringed by their Contribution(s) alone or by combination of
their Contribution(s) with the Work to which such Contribution(s) was submitted.
• MIT
• Permission is hereby granted, free of charge, to any person obtaining a copy of this software
and associated documentation files (the "Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge, publish, distribute,
sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions…
Open Source Patent Provisions – Grant of License
14. • GPL 2.0
• You may modify your copy or copies of the Program or any portion of
it…provided that you…cause any work that you distribute or publish…to be
licensed as a whole at no charge to all third parties under the terms of this
License.
• Each time you redistribute the Program (or any work based on the Program),
the recipient automatically receives a license from the original licensor to copy,
distribute or modify the Program subject to these terms and conditions. You
may not impose any further restrictions on the recipients' exercise of the rights
granted herein.
Open Source Patent Provisions – Grant of License
15. • GPL 3.0
• Each contributor grants you a non-exclusive, worldwide, royalty-free patent
license under the contributor's essential patent claims, to make, use, sell, offer
for sale, import and otherwise run, modify and propagate the contents of its
contributor version.
• A contributor's “essential patent claims” are all patent claims owned or
controlled by the contributor, whether already acquired or hereafter acquired,
that would be infringed by some manner, permitted by this License, of making,
using, or selling its contributor version, but do not include claims that would be
infringed only as a consequence of further modification of the contributor
version. For purposes of this definition, “control” includes the right to grant
patent sublicenses in a manner consistent with the requirements of this
License.
Open Source Patent Provisions – Grant of License
16. Defensive Termination Provisions (e.g. Apache 2.0)
• Apache provision:
• "If You institute patent litigation against any entity (including a cross-claim or counterclaim
in a lawsuit) alleging that the Work or a Contribution incorporated within the Work
constitutes direct or contributory patent infringement, then any patent licenses granted to
You under this License for that Work shall terminate as of the date such litigation is filed.“
• Which claims trigger the provision?
• Which rights are terminated?
• Can the license be restored?
Open Source Patent Provisions – Defensive Termination
17. GPL 2.0
• Prohibits distribution where patent royalties are required
• If, as a consequence of a court judgment or allegation of patent infringement or for any other
reason (not limited to patent issues), conditions are imposed on you (whether by court order,
agreement or otherwise) that contradict the conditions of this License, they do not excuse you
from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your
obligations under this License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent license would not permit royalty-
free redistribution of the Program by all those who receive copies directly or indirectly through
you, then the only way you could satisfy both it and this License would be to refrain entirely
from distribution of the Program.
Open Source Patent Provisions – Anti-Discrimination
18. GPL 3.0
• Explicitly prohibits discriminatory licenses
• A patent license is “discriminatory” if it does not include within the scope of its coverage,
prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that
are specifically granted under this License. You may not convey a covered work if you are a
party to an arrangement with a third party that is in the business of distributing software, under
which you make payment to the third party based on the extent of your activity of conveying the
work, and under which the third party grants, to any of the parties who would receive the
covered work from you, a discriminatory patent license (a) in connection with copies of the
covered work conveyed by you (or copies made from those copies), or (b) primarily for and in
connection with specific products or compilations that contain the covered work, unless you
entered into that arrangement, or that patent license was granted, prior to 28 March 2007.
Open Source Patent Provisions – Anti-Discrimination
22. • Merger & acquisition
• Venture investment
• Business deals
• Product releases
• Litigation case studies
• Surprise claims
• License enforcement
Unexpected Open Source Risks
23. “Unexpected” Litigation Case Studies
• Twin Peaks v. Red Hat (2012 NDCal)
• GPL counterclaim in mirror file system case
• IBM v. Asus (2008-9 ITC)
• Successful GPL license defense involving routers
• Ximpleware v. Versata (2013-5 NDCal)
• Patent and copyright claims on XML parser arising out of separate commercial litigation in
Texas
• German Enforcement
24. Implied License, e.g., under GPL v2 – XimpleWare?
• Implied license: The XimpleWare court noted that the direct patent infringement did not apply because the defendants had
a license under the GPLv2 for internal use: "The act of running the Program is not restricted, and the output from the
Program is covered only if its contents constitute a work based on the Program (independent of having been made by
running the Program)."
• Breach does not negate license to those downstream: the court further stated that, "Because an express license is a
defense to patent infringement, XimpleWare’s direct infringement claims against Versata’s customers turn on whether the
customers’ distribution is licensed under the GPL. The reason is that the GPL provides that even if the original licensee—
here, one of the Versata entities—breaches its license for whatever reason, third-party customers of that original license
retain the right to use XimpleWare’s software so long as the customer does not itself breach the license by 'distributing'
XimpleWare’s software without satisfying attendant conditions.”
• Rights beyond use are still largely unresolved
Open Source Patent Provisions
25. • Implied licenses for licenses that are silent on patent rights
• “Vertical” vs. “Horizontal” licenses
• Apache 2.0 questions
• How to determine if claims are “necessarily infringed”?
• Is claim construction necessary?
• Later-acquired patents?
• Downstream modifications of licensed contributions?
• Licensed claims limited to contributions or to other code in work that potentially infringes same claims?
• Can license be restored?
• Patent damages where there is an open-source alternative
• Patent damages where accused software is open-source
• Issues outside the USA
• Implied patent licenses may be more limited elsewhere
• Scope of Open Invention Network License
• Effect of pledges such as Open Patent Non-Assertion Pledge, License on Transfer Network
Uncertainties with respect to open source patent licensing
27. Process:
Typical scenarios where Open Source is raised to patent portfolio managers
1. Invention disclosure form (IDF) submitted with indication subject matter will be part of
OS project
2. Patent team consulted on impact of requested OS participation on patent strategy
May be difficult to determine impact - might require study of code and individual claim
language
3. Third party code - considering bringing some third party code into the code base,
e.g., M&A context
Patents and Open Source
28. Potential Responses, e.g., for Scenario (1) - IDF at time of OS request
a) Proceed with OS contribution/do not pursue patent
b) Proceed with OS contribution and pursue patent,
c) Do not proceed with OS contribution and pursue patent.
So how does one determine when to raise IP as a consideration in a proposed
OS participation, when an OS participation is approved, whether an associated
invention should be patented?
Patents and Open Source
28
29. Factors for giving OK to OS request / decision whether to pursue patent
• License terms of Open Source
• Scope of contribution (and Work) now and in the future
• Potentially impacted patents
• Talk to submitter and/or review proposed submission, use keywords, tech area, business area,
institutional knowledge and/or companies of interest
• Need for patent protection in tech area
• Note: Use a peel the onion approach
• Consider whitelisting or blacklisting certain OS licenses (and perhaps certain types of patents)
• Is potentially impacted patent in litigation or a candidate for litigation?
• Is potentially impacted patent a highly rated patent or a patent that is tagged as being relevant to
a company of interest?
Patents and Open Source
29
30. • Perform regular source code audits to determine OSS in current use, and
confirm compliance with the applicable license provisions.
• Implement routine inbound and outbound tracking systems to limit need for
expensive/cumbersome audits once baseline level of compliance is
established.
• Maintain a whitelist of acceptable OSS licenses, a blacklist of rejected OSS
licenses, and a validation process to approve OSS licenses not on either list.
• Prior to making major software purchases, require vendors to provide OSS
audits.
General OS Takeaways
30