DIY code escrow?

Question

Rather than using a third party code escrow service, I was thinking about giving customers our source code in encrypted form and then have my attorney produce a document that contains the password for decrypting the source and the conditions under which it is released.

The benifits of doing it this way are not just cost. Would you be shocked to hear if one of the big escrow services was hacked?

The implementation could be very simple. A Win32 commandline program could be written that uses some obscure combination of AES, random nonces, etc to encrypt and decrypt a file using a password. This program is then packaged with the encrypted source file and instructions and made available to customers via any number of methods. So customers already have the source. All they need is the password to decrypt it.

To obtain the password, the customer would simply contact the legal group acting as the escrow agent and claim that one of the conditions for releasing the code has been reached such as bankruptcy, the product was discontinued, etc.

Has anyone done this or do you see a flaw in the system?

Answer 1

The escrow system is also a guarantee that the source code will be delivered. What if the encrypted file or media is found to be corrupted when decryption is attempted? What if the key is not correct? The service needs to be provided as specified in the escrow contract at a time when you will not be able to provide the code yourself. How far will your lawyer go to ensure that the client's contract is fulfilled? That is basically what you are paying an escrow service for.

Another option is to simply release them the code as it is while you are still a going concern for a price increase equivalent to the escrow fees and pocket the escrow fees. What is the risk in giving them the source code now?