Let's Have Responsible Disclosure For Open Source Violations

Last week brought news about Microsoft <a href="http://www.informationweek.com/blog/main/archives/2009/11/microsofts_gpl.html">inadvertently using open source code</a> in one of their binary-only tools -- code that had to be redistributed with the tool itself. When this does happen, what's the best way to bring such a mistake to an offending company's attention? Is shouting about it far and wide always wise?</p>

Serdar Yegulalp, Contributor

November 16, 2009

3 Min Read
InformationWeek logo in a gray background | InformationWeek

Last week brought news about Microsoft inadvertently using open source code in one of their binary-only tools -- code that had to be redistributed with the tool itself. When this does happen, what's the best way to bring such a mistake to an offending company's attention? Is shouting about it far and wide always wise?

First off, Microsoft deserves credit for doing the right thing in a timely way. The fact that they allowed it to happen was a botch, whether or not someone else wrote the tool for them. If anything, they should have applied double the rigor to code submitted by an outside authority, since anything could be in there. (This could have been done by any number of means -- a GPL-aware auditor, or an automated system like Black Duck's software suite.)

But I'm looking ahead, to the possibility -- the certainty -- that this can and will happen again. Not just to Microsoft, but to anyone in the software business. Rather than wring our collective hands over what the world's coming to, though, let's at least be honest with ourselves. If this can and will happen again, we need a mechanism for dealing with it responsibly.

What I'd recommend is creating some kind of responsible-disclosure protocol for claims of open source abuse -- a way for the aggrieved to pass their notices along through a group already trusted by the open source community. White hats who have detected a possible security issue with some program can go to the company in question and report their concerns to them in private. Likewise, if someone found that a piece of software had undeclared open source code that required disclosure -- code they'd created -- they could use an intermediary with some clout as a formal disclosure channel.

This group could be the OSI, the SFLC -- whatever outfits works, I'm being wholly agnostic here. That way the entire process could be conducted without having to publicly embarrass anyone -- it could be done diplomatically and tactfully, on all sides.

Come to think of it, if a company's using undeclared open source, it is a security issue, isn't it? If it's publicly disclosed that a given piece of software uses open source, and said open source app has a known security issue, it suddenly becomes a target -- especially if it's not been patched by the vendor.

So why do this when it's already possible to talk to the violator directly -- or post something about a software GPL violation on your blog, and have Digg or Slashdot come and spread the word for you? Sure, you could that. And that's great if the facts are on your side ... but what if they're not? And what's more, if you summon the masses to your side, they may not be as responsible in their behavior as you would be in yours.

I don't know about you, but shouting from the mountaintop sounds like the last step, not the first.

InformationWeek Analytics has published an independent analysis on application delivery. Download the report here (registration required).

Twitter: Me | InformationWeek
Facebook: InformationWeek

About the Author

Serdar Yegulalp

Contributor

Follow Serdar Yegulalp and BYTE on Twitter and Google+:

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights