Preventing the bait and switch by open core software companies

Open source is more than a license, it’s a company charter.

The commercial promise of open source stewardship is a red button in a glass case. At any point, an open core company using a permissive software license and/or a Contributor License Agreement (CLA) can decide to “push the red button” and change the project license.

While most open core businesses operate with good intentions, maximizing shareholder value is the ultimate goal of a corporation. The pressure to create revenue can cause companies to change from open source to non-compete licenses, which allow mostly free use of the code, excluding the use by SaaS companies offering the same service. In the cases of Redis and Elasticsearch being service-wrapped by the hyper clouds, switching from an open source to non-compete or other licenses was a rational business decision. But non-compete licenses are not open source.

Examples of companies switching from an open source software to limited licenses have rattled open source communities. The only way to protect open source indefinitely, without giving the project to a software foundation, is by using a copyleft license with a developer certificate of origin (DCO). But copyleft licenses are often considered too restrictive to drive adoption. The more popular permissive licenses carry the benefit of mass adoption but they always allow a switch to a non-compete license. Relicensing can happen once a prominent company is behind the project, despite a big community against the change. As seen with the cases of Redis, Elastic, etc., pressure to “press the red button” can be powerful. While this is not inherently bad, we are developing an alternative approach at Open Core Ventures (OCV), which aims to make it more difficult to switch an open core project from a permissive to a non-compete license.

“It’s important not to orphan a community codebase,” said open source software licensing specialist Heather Meeker, General Partner at OSS Capital. “It can be hard to define what that means, but it’s disruptive to withdraw code from a public repository and then change the license. The challenge is to ensure a commitment to the community as ownership interests change over time. You need protective provisions, so companies don’t abandon their open source roots.”

With Heather Meeker’s input, we developed the OCV Public Benefit Company (OPC) charter aiming to do just that: safeguard the original mission of open source projects and the value contributed by the open source community.

Open source as a company charter

At OCV, we start and invest in open core companies. We identify open source projects with traction, and recruit CTO/CEOs (we typically contact the author of the project first) to build a commercial application and company around it. Our vision is that open core will eventually replace proprietary software as the default. Preventing a “bait and switch” from open source to proprietary is central to our model. It is for this reason we think open source is more than a license—it’s the base of all software companies.

For open core to become the default, there needs to exist a mechanism for protecting the balance between open source and its commercialization. Licensing is one way but can be changed. Another way is to create a legally binding commitment from the company.

Instead of choosing a traditional entity structure, companies can register as a public benefit corporation (PBC) and include a specific set of public benefits in their company charter. PBCs are for-profit organizations that are “created to generate social and public good” in addition to generating revenue. A public benefit corporation has a legal obligation to operate in a “responsible and sustainable manner.” A PBC must report on progress in delivering its public benefit, and there are serious consequences if the company deviates from its intended purpose.

We’ve open-sourced the OPC charter under the Creative Commons Attribution-ShareAlike 4.0 license. Open core companies are free to use the OPC in their articles of incorporation with attribution. An OPC takes on a legal responsibility to maintain and actively develop a viable, secure open source project in addition to any proprietary code they create. The charter specifically lists open source as the public benefit and includes which guidelines must be met:

1. Protecting community contributions by not allowing the removal of any software products that were previously open source.
2. Open sourcing all testing frameworks used for open source features.
3. Not creating constraints or limitations such as user or performance limits, size, or the number of repositories to projects the company has made available under an open source license.
4. Ensuring the majority of new features added in a calendar year are made available under an open source license.
5. Explicitly communicating which code is open source and which is proprietary.
6. Not withholding or intentionally delaying the release of security fixes for open source features.

The approach ensures that an open core company can’t switch to solely creating proprietary software. The charter also addresses other issues we have seen in open source projects like withholding security fixes and transparency issues. “The typical approach that open core companies take is to withhold features that scale for enterprise use,” said Heather. “The issue is when they also withhold security fixes to community code, while maintaining commercial code, or when they aren’t clear about what is open source and what is proprietary.” Including security and licensing transparency in the charter ensures companies work to get these things right.

The benefit of creating an OPC is that we remove the “red button in the glass case.” The charter protects the open source ethos of open core and fosters trust with the open source community. For OCV, it allows us to start companies we otherwise would not be able to. It makes it more palatable for the founder, so we get to start companies we otherwise wouldn’t have started.

The drawback is that an OPC may have a higher hurdle for VC investments. This may result in a potentially lower valuation compared to a traditional entity. However, I believe in a possible future where carrying the OBPC charter is beneficial. Maybe in the far future, this will become the norm, and it’s a benefit to have it, and people won’t trust open core companies without it. We believe the OPC entity structure is a way to give open source creators and contributors peace of mind that their project’s code will not be closed by the company.

We’re launching our first OPC company, Authentik Security, in November. Authentik Security is a cyber security company that provides identity management solutions around single-sign-on, user enrollment, and other access control features.

We expect to improve the licensing text over time as we receive feedback on it.