Uncovering Risks of Open-Source Software: A Technical Approach to M&A Due Diligence (Part 1)

Jun 22, 2023 | Portfolio Governance Uncovering Risks of Open-Source Software: A Technical Approach to M&A Due Diligence (Part 1)

In this first of a two-part series from guest authors Tuyana Molokhoeva and William Luk of Quandary Peak, we look at some of the main considerations of uncovering open-source software risks in M&A.

Software has never been more sophisticated or complex, and with ever-growing time pressure to release new products and features, many companies are increasingly integrating open-source software (OSS) components into their product offerings to accelerate time to market. These could be simple functions to expedite database transactions to full-blown complex user-interface frameworks.

The use of OSS in any software products dramatically shortens the time to roll out new features, but it also poses potential risks to software products and their organizations. Equity and investment firms must understand and assess a target company’s use of OSS and their risks as part of diligence in any M&A transaction. Failure to properly assess the OSS risks could lead to security exposure (ranging from denial of services to a high profile data breach) and in some extreme cases requiring the company to disclose its proprietary software to the open source community. In December 2008, the Free Software Foundation (FSF) filed suit and successfully forced Cisco to release the firmware source code for their Linksys WRT54G router to the open source community.

For these reasons, companies should conduct thorough due diligence to identify any OSS-related risks associated with an M&A target and take appropriate steps to manage those risks, such as remediating any license issue, implementing security controls, and incorporating appropriate legal protections into the transaction documentation.

Licensing Risks

There are several key risks related to licensing obligations when it comes to OSS software in M&A transactions.

One is that the OSS used by the target company may be subject to very restrictive licensing obligations, like the requirement to disclose the source code or to distribute any changes made to the code. So-called “copyleft” licenses, such as GNU General Public License family (GPL), require a company to make its own proprietary software publicly available if it is derived from the OSS, as well as any modifications to such OSS.

Non-compliance with the licensing terms when using the OSS can result in legal liability, including copyright infringement and breach of contract.

Another risk is that the company may inadvertently be in violation of OSS licensing terms by distributing software that includes OSS components without meeting the requirements for attribution or providing the corresponding source code. This could lead to legal action and can also discredit the company’s reputation.

Even less restrictive OSS licenses that require disclosing only the changes to the OSS libraries could pose organizational risk. An example is the OSS changes containing the company’s trade secrets. If not carefully examined, proprietary code that goes into the OSS libraries will need to be disclosed to the OSS community.

As OSS libraries and packages evolve, their licensing terms may change. This change is usually toward less restriction. However, some OSS authors may switch to a commercial licensing fee above a certain threshold, such as more than x number of users. Organizations must stay on top of their OSS license obligations and evaluate changes to the licensing terms during upgrade.

Most of the OSS libraries are offered under standardized licenses which are usually categorized as high risk (e.g. GNU General Public License), medium risk (e.g. Mozilla Public License) and low risk (e.g. MIT License), some OSS projects use custom licenses that may contain terms imposing additional obligations and restrictions on the use of the product. It is crucial to identify such custom licenses within technical due diligence to allow legal teams to further analyze their terms to avoid any risks of non-compliance.

Another potential issue that is often overlooked is license conflicts. OSS libraries can contain subcomponents (termed “dependencies”) that are licensed under a different license than the main license under which the library is provided and thus can pose more restrictions.

To mitigate these risks, companies should conduct a thorough due diligence review to identify any OSS-related licenses and obligations associated with the M&A target and take appropriate steps to ensure that they can meet those obligations, such as obtaining necessary licenses, implementing security controls, and incorporating appropriate legal protections into the transaction documentation.