Open Source Due Diligence

Heading towards an IPO or M&A? We certainly hope so!

Being proactive is critical as it can significantly reduce the length of the due diligence process. Studies have shown that the longer the due diligence process lasts, the higher the chances that the deal doesn't get signed, or the deal value is significantly reduced.

 

What does every CTO need to produce in the software due diligence process?

First, you will be asked to provide a list of open source components in your software and their open source licenses. This list must include all dependencies, since these dependencies may actually have a different, more restrictive license. An incomplete or inaccurate list will signal that you're not on top of your game, and it will likely trigger further investigation.

Second, the investor/acquirer team will want to verify that the licenses of your used components don't threaten your company’s intellectual property and the way you use your components is compliant with its license requirements.

Third, they will want to verify that you are aware of known security vulnerabilities in your product. They will also want to know you are informed of new patches, fixes and versions of your components, and why you haven't updated problematic components.

 

ON THE VERGE OF AN M&A? DONT IGNORE OPEN SOURCE DUE DILIGENCE, DOWNLOAD THIS FREE GUIDE

 

Automate your tracking and reporting

Compiling these materials manually based on manually-tracked inventories can be time-consuming, incomplete, and inaccurate. Another option is using code scanners, but this is an expensive and a time-consuming alternative.

WhiteSource will not only generate 100% accurate, up-to-date due diligence reports within minutes, but will also continue to detect your open source components while you continue to develop your products, and flags any problems along the way, so you will never be surprised.