While to be pedantically correct they don't literally own the IP, the startup is correct in telling investors that they have the rights to build a business from what software they have. Your license is very permissive and grants them this.

If you don't want people to use your software to build a business, you should release it under a license that forbids it. (There isn't such a license but AGPL effectively accomplishes this.) If you want people to be required to mention you when they use your software, you should release it under a license that requires this. (For example, the unpopular 4-clause BSD license requires this.)

With all that said, it's still kind of a jerk move on the startup's part for them not to even contact you. But modern software is made up of many people's open source software and most of them never get any acknowledgement...

If they were just using the software and telling investors that they were using it under the Apache license, there would be no problem. The investor said that the startup is claiming they actually wrote the code.

If the group retains the attribution notices in the source code, hopefully this will be found when the VC does due diligence and then it's up to the VC what to do. If the group removed the attribution notices and you can somehow gather evidence of this, then they violated the Apache License and you should be able to sue. Whether or not this would be fruitful is up to whichever lawyer you contact.

Honest question: does throwawayvictim have an obligation to take part in that due diligence process by reaching out to the investors? Regardless of his own attachments to the code, and his emotional response to its false attribution - a response I think most of us would have, by the way - the investors "don't know what they don't know", and I think any good samaritan would consider it his duty to inform someone who is at a possible informational disadvantage, especially when that information could prevent the investors from dealing with a loss or a future liability. It also reflects the character of the startup using the code, an additional and relevant piece of information that the investor is disadvantaged not knowing.

Think if it in alternate terms. And, yeah, it's going to be highly contrived, but I'm trying to avoid overreaching the bounds of this metaphor. :)

Someone at a party you're hosting (we'll call him Stuart Upton) stole a car that you recently offered to loan to anyone who wants it, because - hey! - free car! You have an OBD key installed that lets you track it. You're not certain if they're intoxicated, or if they're intending to commit a crime, and there's a risk they could cause harm to person or property. You believe you know their destination, because they discussed going there to "have a chat" with someone named Victor Curtis (we'll call him "VC" for short) about some money they believe they're owed earlier in the evening.

Is it your duty to call up VC to warn him about his unexpected caller? That the caller has expressed a monetary motivation for his visit, and that he has taken advantage of your good will and stolen a car you were willing to loan freely to anyone who respectfully asked to borrow it?

> does throwawayvictim have an obligation to take part in that due diligence process by reaching out to the investors?

No, in fact he should not. The DD is the investors problem, not the OPs, if they do lousy DD, do not spot the anomaly and invest anyway at least he'll have a fat target assuming there is a case here.

> Regardless of his own attachments to the code, and his emotional response to its false attribution

False attribution by hearsay at this point in time, that's not actionable.

> a response I think most of us would have, by the way - the investors "don't know what they don't know", and I think any good samaritan would consider it his duty to inform someone who is at a possible informational disadvantage, especially when that information could prevent the investors from dealing with a loss or a future liability. It also reflects the character of the startup using the code, an additional and relevant piece of information that the investor is disadvantaged not knowing.

That might get you into a lot of trouble.

Your analogy doesn't hold water on several fronts, for one nothing got stolen.

> Is it your duty to call up VC to warn him about his unexpected caller?

No, in fact that might be construed as interference.

> That the caller has expressed a monetary motivation for his visit, and that he has taken advantage of your good will and stolen a car you were willing to loan freely to anyone who respectfully asked to borrow it?

This could be but the OP is not a disinterested and objective party. So he should contact his own lawyer and discuss his options rather than to take advice from strangers on the net with extremely limited data.

I have never in my life seen a VC look at source code. Even the more technical ones that might be interested in the technical details limit themselves to the overall architecture (and even that mostly out of curiosity). Is anyone else's experience different?

I had potential acquirers hire consultants (on their dime) to audit my code and commit logs. Their questions were brief yet very specific. I felt that this would be standard practice for any good VC / acquiring business.

Yes, it's different for me. I do DD many times per year and I always look at the code if the company is claiming IP rights. And depending on what they're doing this can be a half hour browsing session or a deep dive lasting a couple of days.

How much do you care? According the Apache license they must keep original copyright attribution in all source files that include them. If they're stripping get litigious.

Go for a consultation. Decide if its viable to go after them. If it isn't, those investors should know that they're investing in dishonest crooks who probably don't have any qualms with misdirection of funds.

I wonder if this is a situation where investors don't clue other investors in.

Ultimately investors are all competing with each other for good deals and if some investor doesn't find this is a bad deal in their due diligence, how much would the smarter investor be willing to let their competitors tie up their money in the bad investment? They have no ethical obligation to share this information...

How would he know if they are stripping his license off the files?

They are being dishonest and trying to take over the ownership of the code. It needs to be called out.

We'd need much clearer specifics to give good advice, but generally I'd avoid getting aggressive. It's unlikely that you have much (if any) legal claim, so the primary benefit you can get is to build some social capital with their investors.

> How should I respond? Is this common practice?

It is extremely common practice to use open source software in building a company, but most startups will acknowledge they didn't write all the code themselves. That being said, some certainly do gloss over the exact authorship (especially since some business people still don't understand open source).

Also, there's a huge difference between them selling literally your code as their own and them using your code to build a business you hadn't thought of.

Either way, your best bet is to respond diplomatically to the investors. If you play your cards right (don't be aggressive, but do be clear that you wrote the IP), you could easily spin this into:

1) Money for an additional "license" (essentially, money to keep you from harassing them)

2) Investment in your own startup. The fact that people are successfully raising money on software you wrote speaks volumes to your potential market.

My biggest fear at the moment is that they will turn around in the future and try to take action against me. If they are telling others that they wrote the code, and if someone tells them about my code, i wouldn't want to face a legal battle. Maybe it's unfounded, but I'm still a bit emotional.

That's probably a healthy approach, especially if you're feeling emotional about the situation right now. There's definitely not a big rush.

Keep in mind that it is very unlikely they'll try to litigate against you——they're the ones who have the most to lose. Not only could they potentially have violated your copyright, but they also risk significant perceived damage (many VCs won't touch a startup in litigation with a 10 foot pole).

Is it on GitHub? If you have the commit log on a third-party site, you've got a pretty reliable audit trail of who wrote what when.

1. Thank the investor for letting you know.

2. Explain that you are glad that someone is finding your software useful. Ask them if they have any questions about the software.

3. Explain what you are working on now.

4. Network with them for the long term.

The investment community will handle any dishonesty according to its habits and those of the particular investors involved.

This is good advice.

I'm not a lawyer, but for what it's worth, it sounds like they're defrauding their investors while actually complying with their legal obligations to you; the Apache license allows copying, and deploying code to a website (without sharing the code itself) isn't even thought of as "distribution" in copyright terms.

So I'd be surprised if you have anything personal to gain from pursuing this, other than the karmic payoff of seeing cheaters be punished.

The Apache 2 license has attribution clauses.

The attribution clauses in Apache 2 apply to notices in source code, when redistributing that source code.

The company using OP's code is presumably not distributing his source code publicly at all. They're just using it to power a deployed website. So an act of distribution as defined by copyright and the Apache license has not taken place, so the attribution clauses do not apply.

This is a really interesting case and I think there are two paths you could take, depending on what you want to do with your life:

1. Do you want to be the businessperson? Do you want to raise money, start a company, deal with HR, have board meetings, and commercialize your software? If so, then it sounds like you would want to keep this competitor out of the market. At this stage, you could probably achieve that by sending some friendly, politely-worded emails to the parties involved explaining the true origins of the IP. I say you could do this in a friendly way because you are actually helping the investors by giving them a more accurate picture of what could've been a deceptive pitch. I wouldn't necessarily push for them to invest in you because they might be soured by the whole thing, but I'd be open if they expressed interest. At this point, I'd stress don't be mean or aggressive about it - just be helpful and honest.

2. Or do you want to kick back and work on your open source software? If this is the case, and I'm guessing it is, then you probably want to encourage people to raise money based on your IP and then figure out ways to work with them to extract some licensing/consulting fees. If some one raises $1M based on your open-source software, it would be very reasonable for you to get $50K-$100K of that through fees over the next year. Some people are going to be defensive and think that you're "losing" $900K - but you were never going to raise that money in the first place, so how can you "lose" it? Now, how you get your $100K is dependent on circumstance, but it could be in the form of custom development for them, trademark licensing, premium support, premium software add-ons, etc. Overall, your goal is to maintain control/leverage over the IP and knowledge while helping others build a commercial market around it.

Good luck.

It's an awful feeling. It has been done to one of my open source projects before.

Here's my thought on why they did it.

1. Exclusive ownership of IP has a lot of value to the investors. The IP can be licensed out and can be used as a competitive advantage. When the company is sold later, IP is an important part of it. Claiming IP ownership of your project increases their funding appealing to the investors. Otherwise, another group can just easily use your open source project to build a competing company.

2. Claiming ownership of the IP gives the appearance of their development prowess of building the project from scratch. It adds to their technical competency to the investors. In reality what they're really good at is taking credit of other people work.

Now what do you want to do? It has been a hurtful experience and you are probably pretty emotional. I would. But time to check emotion at the door and start to play ball.

You being the exclusive ownership of IP has tremendous advantage. See 1.

Tell the investor you own the IP. You were just being philanthropic to open source it; however, you still own and control the IP. Investors really try to avoid tangled IP so they can sell the company in a clean bundle later.

As for the startup, you can sell them a license for a large fee to allow them to close-source their new modification. This essentially let them buy off control of a branching of the project. And investors like it since it gives them control over future IP addition.

You can consult for them, but I think it's a bad idea given how these people have behaved unethically.

You can tell them to stop claiming ownership of the IP and give attribution, and remind them any future changes they make have to be open source as well.

Or if you want to play the long game, you can sit back. Let them develop the company. Later have your lawyer sent them notice that you want to audit all their code to make sure any derivation of the project is properly open sourced.

Your analysis of why they might have this seems insightful, but your advice on what to do doesn't sound quite right to me. In my mind, it all depends on which sort of "open source" license you used: a "viral" one like the GPL or a "free" one like BSD or Apache.

You wrote "remind them any future changes they make have to be open source as well" and "have your lawyer sent them notice that you want to audit all their code to make sure any derivation of the project is properly open sourced"; both of these apply only if you used a "viral" style of license. And the original poster didn't... she used the Apache license.

By using that license, she already gave this startup (and anyone else) permission to use the code, and to build a whole business on the code, without ever paying the original poster one cent or even giving credit.

We (those of use who release under open licenses) do this because on the whole, everyone benefits when we all use open licenses. I would venture to say that there is no developer anywhere who has not GAINED more benefit from the use of open source software than they have given up by releasing things they wrote.

But occasionally there is an asshole like (apparently) this startup. And one right that the original poster did NOT give up by using the Apache license is the right to speak honestly. The advice "Tell the investor you own the IP" seems dead on.

It may turn out that there was a miscommunication -- that the startup founders were explaining that the features THEY added were theirs and the investor misunderstood and thought they were claiming the underlying code that the OP wrote. If so, sort out the communication mixup and then perhaps you and this startup have a future together. Or perhaps (and this DOES happen) the startup founders were simply lying to investors. In that case, telling the investors about it won't win you any friends, but it might make the world a tiny bit better.

> remind them any future changes they make have to be open source as well

Unlike GPL, the Apache license isn't "copyleft" or "viral," so derivative works and modifications don't have to be Apache-licensed or open sourced at all.

Apache 2 does have have an attribution clause, though (4.c and 4.d). It seems like this implies that if the startup is removing the attribution link or license text from source code files, they're in violation of the license.

(BTW, the author should clarify what exactly the investor means by "claiming the work as their own". Are they claiming they have a right to use the work, which they do? Or are they claiming they are the copyright owners, which they are not? Investors are often non-technical and non-legal, so it's quite possible something has been lost in translation.)

Do you mind going into more details? What happened and how did you react?

Why don't you offer your services to the startup as a consultant? Edit: Thanks for the downmod. Let's be clear, this is a legal situation that is ambiguous at best. If the startup has preserved the attribution (which seems to be the case or he wouldn't have been contacted) then it's entirely likely that they have not done anything wrong. These guys just got a bunch of money to work with this software; clearly having the person who wrote it would be a big help to their team. I'm not even suggesting joining said startup, presumably the author has other means of income. Consulting seems like the way to make the best of this situation, assuming that you can get over the idea that someone has "stolen" your code. I readily admit the notion that I could be mistaken; if you feel that I am, please comment instead of downmodding.

In the start up world, what comes around, goes around. Ethics, trustworthiness, honesty...these are all important factors. All of the angels and VC's I've been around would very likely walk away from people like this. Maybe it was an oversight, maybe it was intentional...but most investors will suss out douchebaggery pretty quickly and ask very direct questions. If you lie at this point, you're not getting funded. If you somehow manage to get funded and the lie remains uncovered, that's highly unusual.

There's really not much you can do though. Maybe politely request the start-up acknowledge the work you did.

But if it were me, I'd just let it go and move on. If you're sensitive about this sort of thing, you probably shouldn't release your code open source.

By the way, I'm familiar with the feelings. I had a private commercial library for years. The second I open-sourced it, at least two companies started using it in their commercial endeavors.

What do you want?

Do you want the investment instead? Do you just want to warn the investors that they might be being tricked? Do you want them to start the company and employ you (not a good idea if you can't trust them)?

I suspect you don't have a case yourself unless you have great evidence about exactly what they said and even then in private the damages are probably small. The investors are the ones whom at the least charitable interpretation were being defrauded and may be most angry and have a case.

I suggest that unless you want to pitch for the investment yourself that you stay fairly quiet or quietly let the investors know the situation and let them deal with it.

Without specifics you're not going to get much in terms of help but at first glance if they are raising funds on your code then you should contact a lawyer with your license in hand to get his opinion on how to proceed.

I don't know any lawyers in the IP space. Do you have a lawyer that you use in your business life?

I personally recommend George Grellas (grellas on HN), with whom I have worked on a professional basis and whose services I value greatly. He is someone whose advice I would pay for and trust. His firm's website is http://www.grellas.com/ . (I receive no compensation for making recommendations.)

I am not saying this is a case that he would want to take on (only he could say that, and without knowing more details, it sounds to me [a non-lawyer] as though the entrepreneurs are deceiving the investors while obeying the terms of your license).

Likely not in your place of residence.

But google is your friend here.

where are you?

The first and easiest thing you should do is make sure that you are clearly labelled as the project's author on the website of the project as well in the source code. If any investors get burned on this (as they probably will) you don't want them suing you alleging that you were somehow contributed to the problem.

Reading up on the Apache license it seems that it requires that any attribution notices be preserved. So I do hope you put notices in your source code saying you wrote it. If you didn't, do it now.

Then you should consult a lawyer that specializes in IP and general business law. You may have both a copyright and business claims against that startup. If they were stupid and removed the license or any attribution from the code when they showed it to investors, then you may have a copyright infringement claim and that can be worth a lot of money.

If they were smart and adhered to the apache license, then you may have a business law claim such as tortious interference with business relationships. But this gets more complex so you really need a lawyer to figure it out. You should find one that knows both copyright and business law. I believe there are lawyers that specialize in small business cases in the software industry that know both copyright and business law.

I have to warn you not to get your hopes up in terms of making money. It is very difficult to make any money from lawsuits and the experience usually ends up a money losing endeavor for both parties. But you do not have to file a suit and maybe you can take some simple steps to protect yourself.

Please keep in mind that nothing here is legal advice. For actual legal advice you should consult a lawyer that knows the details of your situation.

People are predatory, and will use your licence to their full benefit. I feel like a jerk saying this, but this example is exactly why I licence my intellectual property under GPLv3 as much as possible. I retain rights, and others are forced to play by my rules lest they enjoy litigation.

But more importantly, if my work is stolen, I have legal recourse because they aren't releasing the source to their derivative work.

Make sure your project's public presence (website, github, etc) clearly describes its history and your authorship.

Also make sure it disclaims any associations with the team making false claims, either by name ("project X is not created by or affiliated with site Y"), or generically ("project X is not associated with any company or fundraising efforts").

After that, it depends on what you're concerned about. Is it that you think this group is making off with your opportunities? Undermining your own reputation with their false claims – either because they've hidden your achievements, or are falsely implying your endorsement/involvement? Are you worried about more risk if their lies eventually blow up, due to being revealed as deception or failing the in marketplace? Do you simply want to protect third parties who might be conned?

No matter what, making sure the real origins and authorship are well-documented in the project's public presence helps you: anyone doing due-diligence is likely to find the truth. Other concerns probably only need formal legal steps if you find yourself crossing-paths with this team in the marketplace, facing quantifiable damages from their falsehoods.

Note that it's possible they've been sloppy in attribution and cutting/pasting, but truly have made proprietary additions/improvements representing new IP, and intend to operate a real business. (The email-relayed info may have morphed somewhat in the retelling.)

On the other hand, sometimes people run total scams where they carbon-copy an entire website to create the false impression of competence, to raise money for immediate theft. If that's the situation, what you publish and say now could someday prove important in a civil or criminal case against the fraudsters. You'll want to make it very clear you're not coordinating with them in any way.

Isn't the Apache license free of attribution? I'm not sure on the exact requirements on that license.

If I put a product together with open source components, does that make it less useful? Did I infringe on intellectual rights by putting together something with open source components?

You should talk to a lawyer who specializes in IP. IANAL, but they don't own the IP -- they license it from you. Whether that means they owe you anything would depend on the specifics of the case, and that's something you'll need an attorney to figure out.

First, check whether they're in compliance with the Apache license, particularly the terms in section 4 regarding attribution and notices. If you can find specific evidence that they violated one of those terms, your position is strengthened enormously.

Sorry bro, You consult them and offer a deal $$$.

If everything true, they raised 1M with just showing open source project, the VC must be funny guy, lol.

Since you are not mentioned what is your project, links to your repository, 100000+ people use jquery, bootstrap etc libraries, they leave the links as it is.

I think the main problem that you'll have is proving damages. Sure, maybe they did something morally wrong or even illegal but there is no point to suing if they didn't cause any damage to you.

Are they based in the US? From experience, your ability to fight them will be extremely limited of they are based in China or Russia or Indonesia (as happened to some of our IP).

Offtopic but if possible, you should tell the name of the investor. I don't think any decent investor would forget to do such basic checks as part of due diligence.

Hit them up and see if you can get a support contract.

Let us know how it resolves.

It's not common practice, and it's not ethical, what they're doing.

That said, it's more good for you than it is bad. The investor reached out to you. Use this as an opportunity to get face time. Get him to know you. He wants something from you (probably, not to sue the company and to give them a license on fair terms). Get as much in the way of social currency (introductions to other investors, face time with important people) as you can out of this. But, over all, see it as an opportunity to make friends rather than enemies.

The investors, if they're any good at their jobs, aren't going to let someone just steal your idea and claim credit. They're supposed to catch that in due diligence. Your job, at this point, is to be firm in negotiations and get all the social capital you can, but ultimately (unless it's unethical or against what you stand for) to try to make sure that the investors get what they want out of the process, and know you in a positive way in the future. As repulsive as The Wire's Stan Valchek may be, I take from him a choice quote: "kid, careers have been launched on a helluva lot less". You have leverage; use to it get introductions and social proof and to make friends, rather than making enemies.

If this isn't lies, and you live in a country with IP laws, it's easy:

Step 1. Validate your claim is legit; documentation and everything goes a long way. Archive.org is actionable in court (for fun, I put up an article on how I can invalidate several Microsoft patents, due to my prior art from 2000 - the patent was in 2008).

Step 2. Get in touch with your own lawyers, after getting some advice on RocketLawyer or similar. To whit, I could not get a lawyer to take my case last year, despite prior case rules in California, referral from a District Attorney AND a victory in California court through mediation, with more charges still pending against the startup.

Step 3. Assuming even like me, you have legal precedent, history and proof - you need funding. Apparently, as I have found, nobody gives a !@#$@$ in the United States of America about actual crime. I've got a ton of documentation, the only thing I have yet to do is literally CALL the police, and ask, point blank, "Why is that man not in jail?"

Step 4. Now that you how hard this uphill battle is guaranteed to be, if you have the proof, if you have the lawyer friends, finally - do you have the money? Can you get it? If that's true on both, review your stomach, because it'll be a long, hard battle. Family, friends and business associates have all "Disowned me," for various reasons, even though I was the victim. Unreal, but true. See Gamergate as well - the victim loses in the modern USA, at least. Other countries, like Maldives, Costa Rica - the victim also loses.

Step 5. Prepare to lose your professional reputation, even if you win in mediation. I'd love to say that if you win in court, like Michael Jackson before you, that somehow, people realize it wasn't you who did wrong. However, sadly, many people still believe he's a pedophile, many people don't believe I was robbed and fired while my boss was in Hawaii, my step-dad in hospital with 10% chance to live.

Sorry, bro. If you want a referral to awesome lawyers, I'm happy to help and do whatever it takes to help somebody. I care. I just wish other people would, too.

He released the IP under an open source license.

Litigating this is both foolhardy and an uphill battle. Even if he can prove that they weren't giving proper credit, it's extremely hard to prove damages when there is an open source license.

What criminal case?

They have every right to use his software. Under the Apache license, they typically don't even have to publicly admit to using it.

Their only fault is likely glossing over the exact details of what code they wrote and what code they licensed, and even that only in private with investors.

I just don't see how there's any sort of case here. They haven't infringed on any IP.

Certainly not criminal. The Apache license has stipulations for attribution, if someone is claiming your copyrighted work as their own and stripping attributions to attain funds then it could be argued that the code was distributed among them against the license and with the intention of violating it for financial gain.

> and forgot to remove the links to my site

Sounds like attributions are intact. The startup might be misrepresenting things to investors in conversations, but if the actual code attribution is in place then it'd be very difficult to prove a violation of the license.

How could he even prove that?

Why would an investor, who has potentially invested money in this venture, hand over evidence like that?

I'd assume they'd just attribute him in the future (in some obscure corner of their product/website), and be done with it.

An investor associated with that venture went out of his way to spill the beans and probably would hand it over unknowingly if asked nicely.

But I agree with your conclusion.

What project have they stolen? and b) who are they? Give us web links, we may be able to help....