Asample open source policy appears in Appendix 10A. This chapter discusses the pros and cons of creating such a policy and outlines some of the major issues it should address.

It is not crystal clear yet whether having a written corporate open source policy is a best practice, although most lawyers today would probably say it is. While policies have certain settled legal effects in other areas of law (e.g., the case of employment policies, which help avoid liability for discrimination and harassment), the effect of policies in the open source arena is untested. Corporate policies generally serve two purposes: to communicate corporate management's decisions about open source to employees and to provide evidence that the corporation is not willfully ignoring legal issues relating to open source code. It is a common suggestion today that the Sarbanes-Oxley Act (SOX), the corporate responsibility laws enacted in response to the financial scandals of the early 2000s, requires a written open source policy. In brief, this is not true. A written policy may be a best practice, but SOX is not the only—or even the principal—reason for this.

SOX requires each public company to have a special audit committee that signs off on all of the financial auditing procedures for the company. However, some companies may want the audit committee to address other procedures as well, to further insulate the company, or its individual officers and directors, ...