Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is source code escrow still a thing?
7 points by amath on Oct 20, 2023 | hide | past | favorite | 9 comments
We are releasing a self-hosted platform that builds on the open source project we have developed. Recently a prospective customer asked if we would put our source code for the platform in escrow. As additional context, our platform is used in an OEM capacity in some cases and this is why the customer insists on an escrow. I’ve been warned by lawyers that this could cause problems for future acquisition or investment. This is the first request we’ve had for this and I’m trying to get some more information if: 1. Source code escrow is still a thing? 2. If you have dealt with this in the past, how did you work around it. 3. Are there some licenses that could both protect us commercially and ensure the source code existed if we dissolved the business?



Customer is either worried your company is too young/unstable or it's the standard procedure. If your company goes bankrupt then it's indeed unclear to me who owns the source code, the escrow contract might cover that.

Increase the price, double it, that's a very custom request for you.

We did it 6 years ago with a big enterprise customer. The escrow company got read access to one git repository (custom development outside our usual offering). I think the other option was to send them a DVD with the code. Customer paid for the escrow. A year later they either forgot or cancelled, we never had to update our code. Monetary the customer contract value was worth the trouble. We never had another escrow request.


Thanks for sharing. I hadn’t heard of many scenarios in recent years, but I’m not sure if that’s just because nobody advertises that they had to put the source code in escrow.


I had to do this 10 years ago for a SAAS application. It was standard procedure from the customer in question (a large multinational corporation) for "critical applications" - and I could understand their motivation. However, on renewal of the contract, the escrow clause was dropped - I'm not sure if this was because we were more trusted, or their policies changed (I think the cost was a factor).

Many other large customers consumed our services, but none of those have asked for an escrow - some have contracted for "special ways" to remove their data (for example direct access to database backups and so on) in the case that we would go insolvent - I'm not sure that legal mechanism this used.

For the customer in question they had several "levels" of escrow - and in this case they wanted the full escrow, which is more than just a dump of the code - it required all code, all dependencies, all bootstrap data, all configuration files, all build tools, and detailed instructions for building and running the app. An external company worked with us so that they could independently build the application, and witness it running. It was very expensive, very disruptive, very time consuming (it took about 3 days of prep, and 5 days with the external company). I remember it felt like a life time. The customer picked up the bill for the Escrow, that included the cost of the independent company, and our time (but not the opportunity cost).

In my opinion they are of very little value (for example the code continually goes out of date, who's going to run the service because they don't have the skills). In my experience it was a total PITA, and personally I'd avoid it, and try as hard as I could to use a different device to provide the assurance that they need (e.g. contracting that they can access their data in the event of insolvency, or at a push putting the built artifacts and runtime configurations into escrow).


Thanks for sharing! It does seem like a lot of trouble for little if any benefit.


5 days. This is very short imo.


Hi there,

In the spirit of openness, brand new user so forgive me if I break any rules early doors and I work for the world's largest software escrow company......so sorry if this comes across as a little biased!

Yes, source code escrow is still a thing and is in fact being used significantly more frequently due to a raft of regulatory changes going on globally that directly name escrow as a requirement. (PRA, OCC, MAS, HKMA, IOSCO, FFIEC to name a few).

If you need any help I'll do my best.


Source code escrow can indeed be a consideration in scenarios like this, where your platform is used in an OEM capacity. While it can provide reassurance to the customer, it's important to navigate it carefully. There are licenses, such as the GNU General Public License (GPL) or the Apache License, that can protect your commercial interests while ensuring the availability of the source code.

To delve deeper into software licensing and commercial protection, Rather Labs (https://www.ratherlabs.com) offers insights into AI, GPT, and blockchain development, which can be valuable in addressing such complex matters. It's worth exploring to make informed decisions regarding source code escrow.


I presume you have made non-open source additions, so only those additions require escrow assurance for the customer. Why not just license those portions? You would still retain all the IP.


Correct, there is the open source project and then the platform is proprietary and has additional features.

We are licensing those portions and those are what are requested to be in escrow. Do you mean a copy left or business source type of license?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: