Bryan H. Choi (Ohio State University (OSU) - Michael E. Moritz College of Law) has posted Tainted Source Code (39 Harv. J.L. & Tech. (2025)) on SSRN. Here is the abstract:
Open-source software has long eluded tort liability. Fierce ideological commitments and sticky license terms support a long tradition of forbearance against penalizing harmful or negligent work in open-source communities. The free, noncommercial, distributed, and anonymous characteristics of open-source contributions present additional obstacles to legal enforcement.
The exponential rise in software supply chain attacks has given new urgency to the problem of bad open-source code. Yet, current approaches are unlikely to meaningfully improve open-source security and safety. On the one hand, technological tools and self-governance mechanisms remain woefully underdeveloped and underutilized. On the other hand, liability proposals that place all the burden on commercial vendors to inspect the open-source packages they use is an impractical solution that ignores how software is built and maintained.
This Article argues that donated code should be subject to tort liability by analogy to the law of tainted food and blood donations. Food safety law is the progenitor of modern tort law, and it reveals an older set of tensions between altruistic efforts to address societal hunger and the need for accountability in regulating the quality of food supply chains. At common law, the charitable nature of a donation is a nonfactor in determining liability. Legislatures have intervened to provide safe harbors, but only up to an extent. This nuanced history offers a principled path forward for extending a liability framework to donations of open-source code.
