Sign in Subscribe
Intellectual Property & Branding

Software Copyright Registration: When and How to Protect Your Code (Developer-First Checklist)

Promise Legal Staff

8 min read
Teal crystalline vessels in copper lattice, left focal; navy-to-cream textured wash, abstract
Loading the Elevenlabs Text to Speech AudioNative Player...

Your main branch is production — and when a disputed commit shows up, it turns into “legal debt” that can block releases, rollbacks, fundraising, and M&A diligence. This guide is for CTOs, founders, senior engineers, and startup counsel who need an operational way to prove you own what you ship. If you’re still cleaning up contracts and contributions, start with source code ownership before you file anything. Below is a practitioner-first checklist: a timing decision tree, a USCO walkthrough, and repo/CI playbooks you can actually execute.

TL;DR (practitioner checklist)

  • Register before launch, within 3 months of publication, pre-fundraise, pre-M&A, or immediately on suspected infringement (timing affects eligibility for statutory damages/fees under 17 U.S.C. § 412).
  • Deposit a versioned snapshot (tag/commit), not a moving branch.
  • Use USCO’s standard deposit approach (often first/last 25 pages) and redact trade secrets correctly.
  • Keep secrets/keys out; preserve an internal unredacted escrow copy.
  • Close authorship gaps (employees/contractors/CLAs) before you register.
  • Run OSS/license scans so third-party code doesn’t undermine diligence.

Think of registration as “legal architecture” for your repo: it doesn’t stop copying, but it upgrades your evidence and your remedies. In the U.S., registration (or preregistration in limited cases) is generally required before you can file an infringement suit for a U.S. work (17 U.S.C. § 411(a)). More importantly for startups, registering early can preserve access to statutory damages and attorney’s fees; if infringement starts before registration, those “extraordinary” remedies are often unavailable unless you register within three months after first publication (17 U.S.C. § 412).

  • Faster incident response: a certificate + clean deposit/provenance bundle makes demand letters, platform takedowns, and settlement talks more efficient.
  • Cleaner diligence: reduces “prove-you-own-it” workstreams for investors and acquirers (and the deal friction they create).
  • Better leverage: early registration improves your bargaining posture when the other side is deciding whether to fight or fold.

Example: You ship v1; a competitor clones your UI and key backend modules. Without registration, you’re slower to escalate, you’re limited to proving actual damages/profits, and you may need to register while under pressure. The better play: register at release and keep a version-tagged provenance bundle. For adjacent risk areas, see AI and copyright and open source license traps.

Choose based on whether the code can realistically remain confidential — and whether you want a litigation-ready posture (registration) versus a “keep-it-secret” posture (trade secret, which requires reasonable efforts to maintain secrecy).

  • 1) Is the code distributed outside your org? (client SDKs, on-prem, mobile apps, partner drops) Yes → plan for copyright registration per release. No → continue.
  • 2) Is repo access wider than tight employees-only? (contractors, vendors, offshore teams) Yes → trade secret is still possible, but only with strong controls; consider registration for shipped components. No → continue.
  • 3) Can you enforce confidentiality controls? NDAs + IP assignment, least-privilege access, MFA, access logs, secured artifact storage, clean offboarding. No → assume secrecy will fail; bias to registration for what you release.
  • 4) Will OSS licensing or public commits change the legal state? Public repos/forks/mirrors and copyleft triggers can force disclosure obligations — treat that as “distribution pressure” and plan registration + hygiene (see open source license traps).

Developer-operational checklist: private vs public repos (including forks), artifact registries and retention; contractor boundaries (don’t rely on “work-made-for-hire” myths — get assignments); CI/CD leakage (build logs, debug symbols, SBOMs); product surface area (SDKs, public APIs, on-prem).

Examples: (1) Internal algorithm service → trade secret + strict access controls. (2) Distributed client SDK → register at v1.0 and major releases + license scanning.

Default posture for most startups: keep deep internals as trade secrets with provable controls, and periodically register shipped/released versions to stay enforcement- and diligence-ready.

What to register (and what not to): define the unit of protection like a release artifact

Copyright protects the expression in your software (source/object code as written), not the underlying ideas, algorithms, or “business logic” in the abstract. So define the thing you’re registering like an engineering artifact: a specific, reproducible snapshot with a clear boundary.

  • Pick a registration unit: register per major release (v1.0, v1.5) when changes are sweeping, or per module when components ship independently (core engine vs public SDK).
  • Use a stable tag/commit: don’t register a moving branch. Treat the deposit as “what shipped,” tied to a git tag and build identifier.

Deposit strategy (protect + don’t leak secrets): the USCO commonly accepts the first 25 and last 25 pages (or equivalent units) of source code for a new program, with trade-secret material blocked out if needed; the Office notes ~40 lines ≈ 1 page as a rule of thumb (USCO deposit copy guidance). Keep credentials, customer data, and infra secrets out of the deposit, and preserve metadata alongside your bundle: commit hash, tag, release notes, CONTRIBUTORS.md, and signed authorship/assignment records.

Example (SaaS monorepo): register the core service + shared library at the release tag that powers production; exclude Terraform, secrets, and environment-specific config, and keep an internal unredacted escrow copy for enforcement.

Step 0 — Pre-flight (don’t touch the form yet): confirm the ownership chain (employee IP terms, contractor assignments, CLAs). Decide whether/when the version was “published” for your product. Then pick a specific tag/commit and generate a clean archive.

Step 1 — Prepare the deposit copy: include representative source for the key modules you’re claiming. Exclude secrets (API keys, signing certs), customer data, and environment configs. USCO deposit guidance for computer programs commonly uses the first 25 and last 25 pages (or equivalent units; ~40 lines ≈ 1 page) and allows trade-secret blocking/redaction if the remaining material is proportionately more than what’s blocked out (USCO deposit copy help). Keep an internal unredacted escrow copy. Add provenance: COMMIT_HASH.txt, CONTRIBUTORS.md, and a build manifest/SBOM pointer.

Step 2 — File (eCO is typical): enter title/version, author(s), claimant, and any “limitations of claim.” Fees change, so verify on the USCO schedule (Standard Application is listed at $65 as of the current fee page). Processing times vary — plan for weeks to months unless you qualify for special handling.

Step 3 — Save the evidence bundle: store the certificate, docket re-registration reminders, and link the filing to the repo tag + checksums.

  • Repo layout: /legal/deposit/v1.2.0/ (archive + manifest + checksums + notes)
  • Commands: git tag v1.2.0 && git archive --format=tar.gz -o v1.2.0.tar.gz v1.2.0; shasum -a 256 v1.2.0.tar.gz > SHA256SUMS; optional gpg --detach-sign SHA256SUMS

CTA: Get the Implementation Guide (templates + scripts to generate deposits and provenance bundles reliably).

Common developer traps that break protection (and quick remediations)

Use this repeatable format: situation → impact → remediation. The goal is to keep your registration and enforcement posture credible and keep trade secrets from leaking.

  • Trap 1: Public repo commits before deciding IP posture. Impact: accidental “publication,” forks you can’t claw back, leaked secrets. Fix: write a publication policy; split a public SDK from a private core; rotate keys and purge from history where feasible.
  • Trap 2: Unclear authorship (no CLAs/assignments). Impact: you may not own what you register; diligence blowups. Fix: require IP assignments; adopt CLA/DCO; enforce signed commits; add CONTRIBUTORS.md.
  • Trap 3: Copy-pasted OSS without tracking. Impact: license noncompliance and provenance gaps. Fix: run scanners; add SPDX headers + NOTICE; document third-party sources.
  • Trap 4: Copyleft/dual-licensed code in the critical path. Impact: forced disclosure obligations, M&A red flags. Fix: dependency review gates; isolate behind process/service boundaries; replace or re-architect.
  • Trap 5: CI/CD artifact leakage. Impact: “trade secret” status erodes via logs, build artifacts, debug symbols. Fix: restrict build visibility; scrub logs; set short artifact retention; lock down artifact registries.

Quick toggles/commands: enable branch protection + required reviews; require GPG/signed commits; turn on dependency scanning; restrict Actions/GitLab job logs to maintainers; set artifact retention to days (not months).

Open source vs. proprietary: manage licensing risk so registration stays valuable

Copyright registration proves and strengthens your claim to your code — it does not cancel third-party open source obligations or fix “contamination” in diligence. If a key module is governed by a reciprocal license, investors and acquirers will treat your proprietary rights as narrower than your repo suggests.

  • Permissive (MIT/Apache/BSD): usually compatible with proprietary products, but you must keep attribution/notice files. Apache 2.0 also includes an express patent license from contributors and a patent-termination trigger (Apache-2.0, §3).
  • Weak copyleft (LGPL/MPL): can be workable, but only if you respect boundary rules (e.g., linking/modification and file-level triggers). Keep clean separations and document what’s modified.
  • Strong copyleft (GPL/AGPL): highest diligence risk. AGPL is designed for network/server software and can require offering corresponding source to users who interact with the software over a network when you’ve modified it (AGPLv3, §13; see discussion at Opensource.com).

Controls that scale: generate an SBOM and enforce allow/deny lists; automate third-party notices (NOTICE/SPDX headers); and use architecture patterns (service boundaries, replaceable adapters) to reduce copyleft spread where appropriate.

Example: an AGPL library embedded in a networked SaaS can force source-availability obligations for modifications, increasing acquisition “switch costs.” For more, see Open Source License Traps For SaaS Businesses.

When registration is urgent: 3 scenarios and timelines you can actually execute

  • Scenario 1 — Pre-funding / pre-M&A diligence: Timeline: 2–6 weeks before your data room opens, register the 1–3 releases that represent “what we sell.” Ship an ownership/provenance packet alongside it: assignment docs, CLA/DCO status, tag/commit, deposit manifest, and checksums. This reduces “prove it” cycles and legal switch costs.
  • Scenario 2 — Market entry with a public API, SDK, or on-prem distribution: Timeline: register at the v1.0 release tag (not main) and re-register on major refactors or platform rewrites (e.g., new compiler target, new core engine). Pair it with SBOM + third-party notices so distribution doesn’t create avoidable license problems.
  • Scenario 3 — Suspected infringement after public release: Timeline: same day: preserve evidence (screenshots, package hashes, server logs, crawl). Then register ASAP and coordinate takedown/demand strategy; don’t “wait for certainty” while the other side iterates.

Promise Legal: flat-fee implementation bundles (registration + repo/provenance setup) and a low-friction $50 strategy session to map your fastest path to diligence- and enforcement-ready posture. Built for startup teams, including builders in Austin and beyond.

Learn more

Post-registration playbook: build “legal CI/CD” for ongoing releases

Registration is a point-in-time snapshot; your job is to keep the snapshot habit alive. Tie re-registration to product milestones (major releases, rewrites, new SDKs) so your legal posture matches what customers — and competitors — actually see.

  • Cadence: re-register on major releases/refactors; maintain a calendar aligned to launches and fundraising/M&A windows.
  • Provenance hygiene: signed commits/tags, timestamped release notes, immutable artifact storage, and access logs (especially if you’re also relying on trade secret controls).
  • Release checklist item: generate a deposit bundle + checksum and store it under /legal/deposit/<version>/ with COMMIT_HASH.txt and a manifest.

High-level CI idea: on tag creation, run a job that (1) archives the repo, (2) generates SHA-256 checksums, (3) stores artifacts in restricted storage, and (4) writes a small “filing-ready” manifest JSON.

Technical Integration: wire IP hygiene into your deploy flow

Registration stays valuable when your pipeline continuously manages open source license risk and provenance.

  • Generate an SBOM + run a license scan in CI
  • Archive + hash signed release artifacts
  • Enforce CLA/DCO + branch protection rules
  • Next step: decide posture (register vs. trade secret), snapshot releases, automate provenance, and keep OSS clean.