M&A – OSS Risk Guard

Open Source Due Diligence. With Teeth.

Complete risk inventory. Informed valuations. $1M+ warranty on our findings.

96% of targets have unpatched vulnerabilities. That's the easy part.

Traditional audits find known CVEs and GPL violations. They miss:

Abandoned packages with no maintainer
Single-author dependencies (bus factor = 1)
Source code that doesn’t match the published package
License landmines buried in transitive dependencies

These affect valuation, integration costs, and post-acquisition liability. Most audits miss them entirely

Industry benchmarks from 1,000+ M&A audits

Risk

Prevalence

Unpatched vulnerabilities

96%

License conflicts

85%

Components inactive 2+ years

91%

Bus factor = 1 dependencies

~25%

Sources: Black Duck 2025 OSSRA Report, Black Duck M&A Report, Sharma “Tragedy of the Digital Commons” (2023)

Built for compliance workflows.

SBOM Generation

SPDX 2.3. Complete dependency inventory. EO 14028 and EU CRA ready.

Policy Enforcement

Org-wide defaults. Per-repo overrides. Time-delayed blocking.

Risk Acceptance

Documented exceptions with approver, expiration, and business justification.

Audit Trail

Every decision logged. Export-ready for compliance reviews.

$1M+ Warranty Coverage.

We stand behind our assessments. If we miss something, we're liable. Try getting that from your current SCA vendor.