SAM Practitioners: Watch Out for This Source Code Escrow Disaster

When your enterprise acquires a mission critical software package or suite it is vital that you include a “software code escrow" clause in the license agreement. This practice is intended to ensure that, should the software publisher shut down, go out of business, or become the victim of a buy-out, you will still have access to the original source code for your application. Essentially, the full source code is placed in storage with an independent third party for later recovery and use. Unfortunately, the source code escrow safety net concept has frequently become a casualty of sharp business practices.

Government Software Asset Managers: Be VERY aware of source code escrow. This single contractual clause is nearly as critical to your ongoing operations as the software products themselves. Also, to be fully compliant with FITARA and/or MEGABYTE, this clause should always be utilized as a key element of due diligence in technology spending.

The way escrow was originally designed to work is as follows: The software publisher places the code for your specific version/release of the application in secure storage. If, or when, the software publisher goes out of business you have the right to acquire the source code so that your mission critical application doesn’t fade away. Then, if the software publisher fades away, your enterprise can download the code and continue using the product, theoretically without interruption.

Real World: We’ve seen at least multiple instances of major software publishers that have been bought out by competitors who have immediately ceased all support of the acquired publishers’ applications with the specific intent of forcing consumers to acquire an entirely new product line when the first is no longer available. Source code escrow is the only recourse for a consumer who finds their applications have been phased out.

In recent years, however, the way escrow has been working has been anything BUT effective. On one hand, software publishers tend to be hesitant to genuinely deliver working source code to the escrow holding service. Instead, they may (intentionally, or not) deliver the wrong code, or they deliver code that is defective. On the other hand, software publishers may actually deliver valid code, but that code is never checked to ensure that it transferred accurately.

The bottom line is that, when the consumer attempts to access the code, it is essentially useless – it won’t work at all or the code is for the wrong product, version, or release. The end result is a source code escrow safety net that literally fails to provide its intended value – leaving the consumer holding a mission critical application that is gradually failing to function.

Resolution: When negotiating for ANY mission critical application, always include a source code escrow process. Fully define that process and include very specific procedures for conducting periodic code reviews to ensure that the code you THINK is available for your safety net genuinely IS available and is the correct version/release to match the product you are using. Also, ensure that you allow for transfer, storage, and testing of any future upgrades, patches, fixes, or modifications to the base code. 

All of this is even more critical when we plug so-called cloud services into the mix. Keep in mind that a clear majority of cloud storage service contracts include a clause that permits the service provider to re-locate your stored data to another server - anywhere on the planet - without either notifying you, or without your consent. The end result is that you will simply not be aware of the condition of, or location of, your code - possibly (probably?) a significant disaster scenario.

Failure to take these basic steps during the original negotiations with the original software publisher can expose your enterprise to sharp practices – whether deliberate or unintentional – that could easily spell complete failure of a mission critical application in the long term.

As usual, there is much more to source code escrow than we can cover in this briefing. For additional software life cycle management training, check in at TAMInstitute.org for additional strategies and tactics that genuinely work in the real world.