Skip to content

Chapter 28: Legal Considerations

Chapter 28 examines the complex legal landscape surrounding software supply chain security, addressing issues that organizations and individual maintainers must navigate when developing, distributing, and consuming software.

The chapter begins with open source licensing, exploring how different license types (permissive vs. copyleft) create varying obligations when patching security vulnerabilities. Organizations must understand license compatibility across dependency trees and properly manage contribution agreements when submitting upstream fixes.

Liability for software defects is evolving rapidly. Traditional "as-is" disclaimers have historically shielded software vendors, but this framework is shifting. The EU Cyber Resilience Act introduces manufacturer liability for security failures, while U.S. policy signals movement toward holding software producers accountable for reasonable security practices.

Open source maintainers face unique liability concerns given their typically unpaid, volunteer status. The chapter examines protections available through license disclaimers, foundation membership, and regulatory carve-outs like the EU CRA's non-commercial exclusion and "open source steward" concept.

Export controls and sanctions create compliance challenges for globally-distributed open source software. The publicly available exception protects most open source activity, but organizations must understand encryption notification requirements and sanctions restrictions affecting certain countries and entities.

Patent risks transfer through dependencies, potentially exposing organizations to infringement claims for functionality implemented in third-party code. Defensive patent pools like the Open Invention Network and licenses with explicit patent grants provide meaningful protection.

Finally, the chapter addresses criminal liability for intentional supply chain attacks, covering applicable federal statutes, international prosecution frameworks, and guidance for cooperating with law enforcement when organizations become victims.