This sample open source policy was written with reference to the following two materials.
This policy provides the following principles for the entire organization involved in software development, service, and distribution at the OOO company (hereinafter referred to as “the company”) to properly utilize open source software (hereinafter referred to as “open source”).
These principles provide a way for all members of the company to understand the value of open source, use open source correctly, and contribute to the open source community.
All members of the company can check the open source policy at the following link on the internal wiki: [internal_link]
If this policy is not complied with, the following situations may occur:
For these reasons, the company takes violations of the open source policy seriously, and members or organizations that violate it may be subject to disciplinary procedures.
All members of the company can contribute to the effectiveness of the policy and the improvement of the company’s compliance level by understanding the basis and content of this policy and faithfully performing the necessary activities.
This policy applies to the following three parts:
The scope of application can be changed to suit the company’s business environment. In particular, the Open Source Program Manager investigates at least once a month whether there are products that are not applied and are distributed or serviced externally to ensure continuous effectiveness. This is used as a criterion for changing the scope of application when even one case is found.
The procedure for changing the scope of application is as follows:
The Open Source Program Manager continuously reviews, updates, and inspects the scope of application at least once a month to improve it, and documents the history using the Jira Issue Tracker.
The following roles, responsibilities, and competencies required for each role are defined to ensure the effectiveness of the policy.
The responsible organization/person and the level of required competencies for each role are defined in [Appendix 1. Status of Responsible Persons].
The OSRB (Open Source Review Board) is a consultative body composed of the Open Source Program Manager and responsible persons from related organizations such as the legal team, patent team, development team, infrastructure team, etc., for managing open source in the company.
The Open Source Program Manager is responsible for the overall responsibility of the company’s open source program. It has the following responsibilities to ensure the management activities of open source used in products and services:
The Open Source Program Office (OSPO) supports and nurtures open source activities both inside and outside the company.
The Legal Officer provides advice on legal risks and mitigation measures that may arise in the process of using open source, such as interpreting open source licenses and obligations.
The IT Officer operates open source analysis tools and automates them to build a system that allows open source analysis to be smoothly performed for all distributed software.
The Security Officer operates open source security vulnerability analysis tools to build a system that allows security vulnerability analysis to be smoothly performed for all distributed software.
The Development Culture Officer supports in-house developers to actively use open source and participate in in-house and external communities to acquire advanced development culture.
The Quality Assurance Officer, such as QA, checks whether the open source license obligations have been properly performed when distributing software.
All members who are responsible for the roles defined in Chapter 4 must take the advanced open source education course provided by the [Learning Portal]. Through this, they will familiarize themselves with the open source policy, related education policy, and how to look it up.
The education history and evaluation results are kept in the [Learning Portal] for at least 3 years.
When developing and distributing products and services using open source, you must comply with the obligations required by each open source license. This activity is called open source compliance.
For proper open source compliance activities, the software development/distribution organization complies with the following matters and all processes are recorded and preserved in the Jira Tracker.
When introducing open source to product/service development, first identify what the open source license is, and review and confirm the obligations required by the license.
The company’s [Open Source License Guide] includes a list of major open source licenses, and explains the obligations required by each license according to the following types of distribution:
The software development/distribution organization can refer to this guide when reviewing open source license obligations. If you need to review an open source license not mentioned in this guide, contact the open source program manager.
Understand the combination relationship of open source and design the software architecture so that our code is not affected by the open source license.
The company’s [Open Source License Guide] explains the range of source code disclosure for each open source license and how to design to prevent the disclosure of our code.
The most basic of open source compliance activities is to understand the status of open source included in distributed software. This is to properly meet the core of open source compliance, which is the requirements of the open source license. In other words, you need to create a set of compliance deliverables for the open source included in the distributed software.
Open source compliance deliverables are divided into two main categories.
To collect, distribute, and store these compliance deliverables, comply with the following matters.
You can issue an open source notice and collect a source code package to be disclosed through the company’s open source process.
You must create and manage the status of open source included in distributed software (BOM: Bill of Materials).
You can create and preserve SBOM using open source tools through the company’s open source process.
If a compliance issue is raised, the open source program manager performs the following procedures to respond quickly.
The company encourages participation and contribution to external open source projects to create business value from open source. However, care must be taken to avoid unintentional exposure of the company’s intellectual property or infringement of third-party rights during this process. To this end, members of the company must comply with the following when contributing to external open source projects:
Contributing to open source is granting the open source project the right to modify, use, and distribute the work from a copyright perspective. Sometimes, you may need to transfer your copyright to the open source project. However, the copyright of works created during the employment period is generally owned by the employer. In other words, the works created by company members are owned by the company. The act of arbitrarily contributing works to open source can trigger unnecessary copyright infringement issues.
Therefore, if there is an open source project you want to contribute to, you must comply with the review request and approval process before making the initial contribution according to the open source contribution process.
However, in the case of simple content such as the following, you can contribute according to the judgment of the member without the review process because the risk of copyright infringement is not high:
You should only contribute code that you have the right to contribute. In other words, you contribute code that you have written yourself. You should not arbitrarily contribute third-party code.
Do not contribute code or documents that may expose sensitive information or company intellectual property, such as patents.
If the code you want to contribute contains a company patent, you need to check whether this patent can be contributed to the project under an open source license. If there is any ambiguity, contact the OSPO.
Some open source projects require all contributors to sign the CLA (Contributor License Agreement). This is an agreement that seeks consent from contributors to reduce copyright disputes that can arise while the project manages the works of multiple contributors. Typically, projects led by large corporations require you to sign the CLA.
The CLA varies from project to project, but it usually contains the following:
Also, although rare, some CLAs require agreement on the following conditions:
The company does not allow contributions to open source projects that require copyright transfer to protect its intellectual property. To make this judgment, company members must request a review from the OSPO before signing if the open source project they want to contribute to requires signing the CLA.
The intellectual property of the works created by members during their employment is basically owned by the company. Therefore, when members contribute code to an external open source project, they must indicate the company’s copyright.
When contributing one or more files, indicate the copyright and license at the top of the file as follows:
Copyright (c) {$year} {$Company}
SPDX-License-Identifier: {$SPDX_license_name}
Here, $SPDX_license_name is written according to the license policy of the open source project in question.
However, if you are modifying existing code for purposes such as bug fixes, you do not need to indicate copyright for the code modification.
When contributing to an open source project, do not use personal email, use company email. Through this, (1) members have a sense of responsibility to communicate with the community on behalf of the company, and (2) the company can improve its recognition as a company that actively contributes to the open source community.
The company respects the value of collaboration with the open source community and encourages the release of internal software to open source projects. However, there are a few rules to follow to protect the company’s intellectual property and prevent unintended copyright infringement.
Open source release is granting anyone the right to modify, use, and distribute the work through an open source license from a copyright perspective. Generally, the copyright of works created during the employment period is owned by the employer. In other words, the works created by company members are owned by the company. The act of arbitrarily disclosing works to open source can trigger unnecessary copyright infringement issues.
Therefore, if you want to disclose software as open source, you must follow the review request and approval process according to the company’s open source release policy.
If there is anything that seems undesirable in the process of release, do not hesitate to contact the OSPO.
One of the worst situations that can occur in an open source project is the inclusion of legally problematic code in the project. Code that the company does not have the right to distribute, or code that infringes on the IP of another company, such as a patent, can cause legal problems. Therefore, while preparing to disclose the code, check the source of all code and remove any code that may be problematic.
Do not disclose code or documents that may expose sensitive information or company intellectual property, such as patents.
If the code you want to disclose contains a company patent, you need to check whether this patent can be disclosed under an open source license. If there is any ambiguity, contact the OSPO.
In order to be a successful project, it must also be useful to others. If a similar project already exists, participate in the existing project rather than creating a new one.
The open source you want to disclose should (1) provide differentiated value to the open source community, (2) solve problems that the community has not been able to solve, and (3) be expected to attract positive attention by disclosing our technology.
Secure a budget for the infrastructure needed to maintain and manage the project. This includes project hosting tools like GitHub. If you cannot create an environment that supports sufficient resources, do not disclose it as open source.
When conducting open source release activities, use company email instead of personal email. This has the following benefits:
The Open Source Program Manager is responsible for responding to inquiries and requests about open source from outside.
The Open Source Program Manager provides contact information publicly so that outsiders can make inquiries and requests related to open source.
If you respond quickly and accurately to open source inquiries from outside, you can greatly reduce the risk of claims or legal litigation. To this end, the company complies with the external inquiry response procedure defined in the company’s open source process to respond to external open source inquiries.
The company supports the spirit of the OpenChain project of the Linux Foundation for improving the level of open source compliance in the software supply chain and actively participates.
No | Role | Responsibility | Required Skills | Responsible Organization | Person in Charge |
---|---|---|---|---|---|
1 | Open Source Program Manager | Responsible for overseeing the company’s open source program. | 1. Understanding of software development process 2. Understanding of intellectual property related to open source licenses such as copyright and patents 3. Expert knowledge of open source compliance 4. Open source development experience 5. Communication skills | CTO | OOO |
2 | Legal Officer | Interprets the obligations of open source licenses and provides advice to mitigate legal risks that may arise in utilizing open source to fulfill these obligations. | 1. Basic knowledge of the open source ecosystem 2. Expert knowledge of software copyright 3. Expert knowledge of open source licenses | Legal Team | OOO |
3 | IT Officer | Operates and automates open source analysis tools to build a system that allows open source analysis to be performed smoothly for all software for distribution. | 1. Basic knowledge of open source compliance process 2. Understanding of open source analysis tools 3. Expert knowledge of IT infrastructure | IT Infrastructure Team | OOO |
4 | Security Officer | Operates open source vulnerability analysis tools to build a system that allows vulnerability analysis to be performed for all software for distribution and ensures that discovered vulnerabilities are remedied according to standards. | 1. Broad understanding of DevSecOps 2. Understanding of open source vulnerability analysis tools 3. Expert knowledge of open source vulnerabilities 4. Communication skills | Security Team | OOO |
5 | Development Culture Officer | Supports internal developers to actively utilize open source and participate in internal and external communities to acquire advanced development culture. | 1. Understanding of software development process 2. Basic knowledge of open source compliance 3. Understanding of open source policy | DR | OOO |
6 | Business Department | Software development/distribution organizations comply with open source policy and process for proper open source utilization. | 1. Understanding of software development process 2. Basic knowledge of open source compliance 3. Understanding of open source policy 4. Basic knowledge of open source licenses | Development Team | All members |
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.