tags:

views:

128

answers:

2
+3  Q: 

DIY code escrow?

Rather than using a third party code escrow service, I was thinking about giving customers our source code in encrypted form and then have my attorney produce a document that contains the password for decrypting the source and the conditions under which it is released.

The benifits of doing it this way are not just cost. Would you be shocked to hear if one of the big escrow services was hacked?

The implementation could be very simple. A Win32 commandline program could be written that uses some obscure combination of AES, random nonces, etc to encrypt and decrypt a file using a password. This program is then packaged with the encrypted source file and instructions and made available to customers via any number of methods. So customers already have the source. All they need is the password to decrypt it.

To obtain the password, the customer would simply contact the legal group acting as the escrow agent and claim that one of the conditions for releasing the code has been reached such as bankruptcy, the product was discontinued, etc.

Has anyone done this or do you see a flaw in the system?

+8  A: 

The escrow system is also a guarantee that the source code will be delivered. What if the encrypted file or media is found to be corrupted when decryption is attempted? What if the key is not correct? The service needs to be provided as specified in the escrow contract at a time when you will not be able to provide the code yourself. How far will your lawyer go to ensure that the client's contract is fulfilled? That is basically what you are paying an escrow service for.

Another option is to simply release them the code as it is while you are still a going concern for a price increase equivalent to the escrow fees and pocket the escrow fees. What is the risk in giving them the source code now?

Cade Roux  2010-01-05 17:38:34
I'm not a fan of handing over source for a project for which I haven't been paid. I've gotten screwed out of a significant amount of cash this way by unscrupulous clients.
David Lively  2010-01-05 19:28:03
For a short-term escrow during the purchase transaction, you could probably use a lawyer for that. For the scenario the OP talked about with bankruptcy or discontinuations, I wouldn't expect the lawyer to be able to handle that.
Cade Roux  2010-01-05 19:59:29
A: 

Part of the escrow account process is a legal and financial guarantee that, even if both you and the escrow provider are struck by lightning or hit by a falling meteor or toilet seat from a deorbited space station, the code will be available to the client. We've been required by military contractors to hand over source for our compiler (that we develop) to escrow so that they can use it if we go out of business.

Also, compared to the price of an attorney, I'd think that escrow would be relatively cheap. Just factor it in to your bid if it's a client requirement.

David Lively  2010-01-05 18:02:35

related questions

Integration of escrow web services in a PHP site
Freelance site - Escrow Concept
What is Software Escrow? Is Software Escrow something you want?
What are good ways to guarantee business continuity with a SaaS product?
Have you used software/source code escrow?
How to build escrow style system