• United States



by Richard Fichera

Vendor Indemnification Programs Offer Smart Options for Users

Feb 02, 20043 mins
CSO and CISOData and Information Security

Vendor indemnification programs have emerged as one element of a risk mitigation strategy for those considering the adoption of Linux in the face of the current legal uncertainty surrounding its use. Recently, the number of such options has grown with recent announcements by Open Source Development Labs (OSDL, and Novell (see These programs, although offering very different options for Linux users, effectively deliver a strong message to SCO that they will not allow the Linux community to be intimidated into settlement with them before any of the highly contentious issues of fact and law have been decided in court, a process that may take until at least 2005, and possibly longer for any individual cases that SCO brings against end users, should they follow-through on their threats to do so.

Taken together, these two programs, along with previously existing programs from vendors such as BEA and HP, offer a substantive safety blanket for end users contemplating using Linux but are concerned with their potential legal liability in the face of an aggressive fear, uncertainty and doubt (FUD) campaign by SCO, which has included threats of direct litigation against Linux end users – an almost unprecedented step in technology vendor IP disputes.

The two most recent programs by OSDL and Novell are different, and users need to be aware of the differences. The OSDL program is a little “softer” in that it establishes a fund, with an initial goal of $10 million, for the purposes of funding the legal defense of end users sued by SCO. As far as we know, it does not guarantee indemnification for an adverse outcome, but does provide a degree of comfort for users faced with the decision whether to buy a license from SCO in order to avoid a legal bill that could potentially be grossly disproportional to the license revenues at stake.

Novell’s announcement was a “classical” indemnification program for users, offering users of its SuSE Linux Enterprise Server 8 indemnification against copyright claims by any plaintiff, including SCO. According to Novell, indemnification is subject to the following high-level qualifications:

  • Indemnification is offered for copyright infringement claims made by third parties against registered Novell customers that obtain SuSe Linux Enterprise Server 8 and that, after January 12, 2004, obtain upgrade protection and a qualifying technical support contract from Novell or a participating Novell or SuSe Linux channel partner.
  • Customers must accept the program terms and conditions including caps and other limitations.

By removing this questionable, and almost unprecedented, tactical lever from SCO’s “sales” arsenal, the existence of these programs will slow what is already believed to be an anemic uptake of SCO’s licensing program. When added to the existing programs from HP and ISVs such as BEA, these programs send a strong signal to users that the industry remains confident that their exposure to SCO is low to non-existent.


For users with any concerns about liability, both vendor-specific indemnification and a more general blanket program such as that offered by OSDL can offer reduction of perceived legal risk. The OSDL program offers a vendor-neutral security blanket, subject to its funding limits and other conditions. For users with a higher level of paranoia that are willing to sacrifice some degree of vendor independence, it makes sense to steer purchases to Linux vendors that offer some level of indemnification if there are (1) no technical impediments and (2) the terms of the indemnification, which are usually tailored to motivate users to stay with an environment that is specified by the vendor, thus locking users into the vendor’s product line, are acceptable.