This year has been one of the most volatile in the history of Wall Street. Between the macroeconomic impact of COVID-19, overall political uncertainty, and an increasingly complex global trade atmosphere, the stock market has responded unpredictably, hitting both some of the lowest points of the past five years in early-spring as well as all-time record highs in February and August.
However, even with the current strong market, the S&P 500, which indexes the performance of the largest companies on the New York Stock Exchange (NYSE), was up less than 11% over the first eight months of the calendar year. In comparison, the IPO stock index, as tracked by Renaissance Capital, was up almost 67% on August 31, 2020.
As a result, U.S. markets are expected to see more IPO activity this year — an anticipated 150 debuts — than any year in the past decade, other than the highwater mark of 2014, which saw offerings from technology and tech-adjacent heavyweights like Alibaba, Zendesk, GrubHub, and JD.com. And, where 2014 U.S. IPO proceeds were approximately $85.3 billion from 275 offerings, 2020 IPO proceeds should easily exceed that mark.
The successful debuts this year of cloud services like Fastly, Jamf, ZoomInfo, and Ncino, oncoming decacorn IPOs like Snowflake and Palantir, as well as other highly anticipated offerings like Asana, Qualtrics, JFrog, Unity, Sumo Logic, and GoodRx will almost definitely push 2020 IPO proceeds well past the $100 billion level. And speculative mega IPOs from Airbnb, Robinhood, and DoorDash could even mean IPO proceeds reach the $150 billion horizon this year for the first time.
Open Source License Management: The Invisible S-1 Killer
As we start to see S-1 teardowns about all these former-startups-made-good, we’ll certainly hear about side-by-side and historical benchmarking for key performance metrics and what has become the most interesting and strategic section of the modern tech IPO filing: risk disclosures. Risks typically include increased competition and lower barriers to new entrants, questionable timelines to profitability due to sales and marketing spend, unforeseen changes to overall economic conditions, transforming consumer and corporate behaviors, and external dependencies driving up the cost of goods sold (COGS).
Despite all the excellent trend-spotting, future-looking analyses, and business contingencies in the big-time financial publications and venture capitalists’ blogs, there is one huge risk factor that few of even the biggest software IPOs address in their S-1s, but the best all include in their private due diligence: open source license management.
The open source software (OSS) dependencies built into the vast, vast, vast majority of today’s digital products present a variety of license compliance risks that companies preparing for an IPO must proactively and programmatically address. Without an audit of and plan to address open source license and vulnerability issues, not only can the IPO preparation process get slowed down, but IPO value can be depressed, both in the short term and at virtually any point in the life of a public company.
With the proliferation of open source components, now estimated by Gartner in its 2019 Software Composition Analysis Report to account for up to 90% of every piece of software, OSS license management inherently redefines the scope of the risk companies must evaluate when considering an IPO. There are three primary types of compliance risks to consider: intellectual property (IP) risk, customer indemnification risk, and vulnerability and security risk.
Intellectual Property Risk Due Diligence
Open source IP risk comes in two flavors. The first and most common is as a result of poor open source license management. Given the nature of open source and the pace at which the code changes, failure to comply with licenses exposes companies to the possibility of business disruption, as some licenses may automatically terminate due to the companies’ non-compliance. Legally, companies using OSS in their applications must comply with licenses for each component to maintain the rights to modify and distribute their technology. But at the scale most companies develop and iterate software, auditing and managing the licenses of all the underlying open source dependencies requires concerted attention and has to be part of every technology company’s IPO due diligence.
The second type of open source IP risk is accidental infringement. Because companies don’t have full visibility into the development of the open source elements that make up much (or most) of their code, it’s difficult to passively safeguard against infringement risk. By performing constant due diligence, companies are more able to prevent unintentionally distributing or misappropriating third-party software that would be subject to litigation or require expensive and time-consuming re-engineering.
The first step in preparing software products that include open source elements for an IPO is to perform an automated scan of every line of code to discover and document all the direct and transitive dependencies for license information that may not be uncovered by package file parsing alone. This bill of materials (BoM) should be the starting point for any open source due diligence.
A clear example of the intellectual property risk of an IPO that comes from working with open source software comes from Uber’s 2019 offering. At the time of its IPO, Uber used an automated scan to document more than 1,300 direct and transitive dependencies in its open source Kepler project for geospatial mapping alone. Manually tracking or not tracking the licenses of those third-party dependencies would be nonviable at any scale and would have, ultimately, put Uber’s IPO at risk. [Note: Uber is a FOSSA customer.]
Customer Indemnification Risk Due Diligence
In addition to the possibility of litigation for using open source software in breach of the applicable licenses, companies moving towards IPO also must understand their risk of having to indemnify their customers against legal action for the improper licensing of open source components. In preparing for a public offering, perhaps the greatest business risk any company can face is the downstream possibility of compensating customers at a higher rate than their contract value resulting from the mismanagement of third-party code.
The most pronounced example of customer indemnification as a risk disclosure is in Cloudera’s 2017 S-1. In its pre-IPO reporting, while expressing the business risk associated with operating a hybrid open source software (HOSS) model, Cloudera also managed to highlight every software company's need for due diligence and ongoing license management related to the overwhelming presence of open source:
“...We or our customers could be subject to lawsuits by parties claiming ownership of (or that different license terms apply to) what we believe to be open source software, or seeking to enforce the terms of an open source license.
...In addition to risks related to license requirements, usage of open source software can lead to greater risks than use of third‑party commercial software, as open source licensors generally do not provide warranties, support, indemnity or assurance of title or controls on origin of the software.”
Vulnerability and Security Risk Due Diligence
The final piece of proper open source due diligence leading up to an IPO is an audit and attempted remediation of known vulnerabilities. Although OSS tends to be safer and less vulnerable than proprietary software, the surface area is so large, and constant security analysis is so complex, that automated scanning against a vulnerabilities database becomes an absolute requirement leading up to an IPO.
What’s more, although it’s nearly impossible to patch all vulnerabilities, assessing and managing security risk as part of due diligence is a clear indication of readiness and responsibility. Revisiting Cloudera’s S-1:
“Further, some open source projects have known vulnerabilities and architectural instabilities and are provided on an ‘as‑is’ basis. Many of these risks associated with usage of open source software, such as the lack of warranties or assurances of title, cannot be eliminated, and could, if not properly addressed, negatively affect the performance of our platform and our business. In addition, we are often required to absorb these risks in our customer and partner relationships by agreeing to provide warranties, support and indemnification with respect to such third party open source software.”
In order to remove any friction from an IPO, every soon-to-be-public company must be prepared to do a thorough and speedy audit and deliver comprehensive reports and documentation on their open source license compliance and vulnerability remediation. So we’ve put together seven straightforward steps to follow for IPO due diligence. By focusing on the full lifecycle of the software and the sync up between the company, investors, and customers — from confidentiality to roadshow — these seven steps not only help unblock any upcoming IPO, but also remove friction and risk from downstream activity.