Clarifications from OSRM (Score 1)

Thank you to everyone for the healthy and extended discussion of Open Source Compliance Insurance. It's always exciting to see the level of energy and scrutiny that the Open Source community applies to new offerings. It keeps everyone honest :-))

I wanted to clarify and explain a few things about the offering, which BTW is officially underwritten by Kiln and sold by Miller; OSRM is not an insurance broker. We are an Open Source risk consultancy.

First, let me respond to the idea that insurance encourages infringement. That would imply that once the insurance is in place, you could do whatever you want, which isn't logical. From the insured's perspective, it's a little like saying that because you have homeowner's insurance, you're going to have a bonfire in your living room. Or that because you have auto insurance, you should just ignore all traffic signals. If people (and corporations) behaved this way, no underwriter would ever write a policy. In addition, if corporations are intentionally violating the license agreements, that is not an insurable event, and the policy would not pay them a dime. Hence, no incentive to infringe.

Bottom line: This insurance provides coverage for UNEXPECTED events, which is true for any insurance policy. Just like your homeowner's insurance provides coverage if a tree falls on your house.

OSRM's role is to help Kiln make sure they are taking on an acceptable level of risk, much like an insurance inspector might visit your hillside house to see if it was structurally sound (and not likely to slide into the ocean), before the underwriter wrote you a homeowner's policy, or similar to an insurance company checking your driving record before deciding whether to provide auto insurance.

We perform an on-site code scan and inspection to ensure current compliance with the GPL and other licenses. As the insured, you also need to commit to best practices going forward, such as having appropriate policies and agreements in place for Open Source use. We believe there is nothing to fear in knowing how your own and others' code uses or includes Open Source. If you haven't been keeping track to date, a scan from a Palamida-type product is useful. But a scan can't tell you what, if anything, you would need to CHANGE to come into full compliance -- which is a prerequisite to obtaining this insurance. That is OSRM's role.

Also, please understand that if an infringement event occurs, the client ONLY gets an insurance payment AFTER they have brought their software into full compliance. So, again, there's no incentive to infringe because you aren't going to get paid until you spend YOUR money to bring the software back into compliance. And obviously, you can only get reimbursed for what you spent.

The OSRM compliance review is a great way to give companies accurate information about what Open Source they have in-house, and an incentive to come into compliance (so that they can be insured against unexpected events), and the process helps establish bright-line standards for compliance.

Thanks! Karen Hiser, OSRM