For a year or more now, there have been some attempts to insure risks of open source, mostly attempts to protect against lawsuits claiming intellectual property infringement, such as the SCO lawsuits. Most of this protection has been organized by
indivdual open source vendors, such as Red Hat, HP, or Novell.
Now Lloyds is announcing plans to offer wider coverage that is not tied to any particular vendor, in conjunction with an organization called Open Source Risk Management (OSRM). According to
an article by Gavin Clarke in the Channel Register:
OSRM will assess both the risk of the software in use and the individual company, before passing on the risk to the appropriate insurance company on the Lloyds market.
According to OSRM’s web pages, such coverage will go beyond the specific code sold by open source vendors, to also cover code modified by users. That is, it will cover open source as open source, not just as a specific vendor’s product.
$7 million settlement Microsoft won against spammer Scott Richter is all over the news, as it should be.
Microsoft says it will dedicate $5 million of that to further spam fighting.
One story says that
the spammer’s insurance company will help pay.
If there was ever anything that should be excepted from insurance
coverage, deliberately spamming (as opposed to your computers being
used without permission by somebody else) should be it.
Cringely has a PBS column of 4 August 2005 about
The New Robber Barons
that revolves around the
Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX)
and other recent legislation.
The key to his argument is that:
These laws, especially the Gramm-Leach-Bliley Act of 1999 (GLBA), now
make the victim of cyber theft into a criminal. And under Sarbanes
Oxley, directors are held liable and can be sent to jail.
So suppose you’re a small financial institution, such as a credit union.
It’s hard to keep track of everything, and eventually you’re likely
to have some information stolen.
You can try to keep it from the public, but you can’t keep it from
your accounting firm.
TippingPoint (owned by 3Com) and iDefense (owned by Verisign)
are both offering bounties for disclosure of vulnerabilities.
Both firms apparently intend to reveal the disclosures to the
affected vendors, rather than to the public.
Mozilla has for some time been paying $500 per bug found.
And of course there are numerous other organizations looking for flaws
in everyone’s code; many of these organizations won’t tell the vendor first.
Maybe it’s better to encourage as many friendly eyes to look at your code
so they’ll tell you before somebody else uses a vulnerability as an exploit
or tells the public before they tell you.
Hm, this sounds a lot like open software.