PE portfolio standardises open source diligence

Situation

The firm held roughly fifteen software companies across several funds, ranging from infrastructure tools to vertical applications. Open source diligence happened at acquisition, but it was handled differently each time, by whichever adviser the deal team engaged, in whatever format that adviser preferred. The partners could not compare license risk across the portfolio, because no two reports measured the same things. As the recent relicensing wave moved through widely used tools, the firm grew uneasy. It suspected that several portfolio companies were running components that had changed terms, and it had no consistent way to confirm or size that exposure across holdings.

The exposure that triggered the work

The trigger was an exit that nearly went sideways. During the sale of one portfolio company, the buyer's diligence surfaced HashiCorp tooling under the Business Source License and an Elasticsearch deployment under the Server Side Public License, neither of which the seller had mapped. The buyer used the uncertainty to argue for a price adjustment and an escrow. The exposure turned out to be modest once examined, but the firm had been on the back foot, defending against an open question it should have answered first. The partners concluded that what nearly cost them at one exit was almost certainly present, unmeasured, across the rest of the portfolio. They wanted a process that surfaced this risk on their own timeline rather than the counterparty's.

Approach

We built a standardised open source diligence process the firm could apply to every holding and every new deal. It had three fixed parts. First, a common dependency mapping method that captured each company's open source components, direct and transitive, with the license state of each node recorded the same way every time. Second, a shared classification scheme that sorted findings into clearly permitted use, copyleft obligations to track, and relicensing exposure that needed sizing, so a finding meant the same thing in every report. Third, a single reporting template that rolled each company's exposure into a portfolio view the partners could read at a glance and compare across holdings. We ran the process across the existing portfolio first to establish a baseline, then handed the firm a repeatable playbook for future diligence. Throughout we worked from the buyer side and kept findings confidential to the firm and its counsel.

Outcome

The baseline review across the portfolio found relicensed components in a majority of the companies, which confirmed the partners' suspicion, but the quantified exposure was bounded in nearly every case. Most use was internal and permitted, with a small number of deployments that warranted attention and a clear cost to cure attached to each. Two companies carried exposure material enough to fold into their value creation plans, where remediation was scheduled deliberately rather than forced later. With a comparable view in hand, the firm could see which holdings carried the most license risk and address them on its own schedule. At the next exit, the company went to market with a current dependency map and a documented position, and the open source question that had nearly repriced the earlier deal was a non event. The standardised process turned a recurring surprise into a managed line item across the portfolio.

Lessons for buyers

Three lessons carry beyond this engagement. The first is that consistency is its own form of leverage. A standardised method lets an investor compare risk across holdings and act on the worst first, which ad hoc reviews never allow. The second is that the cheapest time to find portfolio license exposure is before a counterparty does, on your own timeline, where a bounded number replaces an open question. The third is that diligence is not only an entry activity. Carried through the hold and refreshed before exit, the same map that informs a purchase protects the sale. For more on this pattern, see our service on open source M and A due diligence and the related case study where an acquirer finds hidden SSPL risk in a target.