Michigan won. The Lions won. The markets crashed and crypto did as well. It’s been a wild couple of weeks across the market with the COSS Index sharply retracing recent gains and losing 6 multiple turns of valuation in just the last 4 weeks. After jumping out to a fast start at the beginning of the year, the COSS Index has underperformed down nearly 34% against the benchmark Nasdaq with the Omnicron variant keeping the elves and reindeer in quarantine as the Santa Claus rally has yet to leave the North Pole.
This week, we spent time with Donald Fischer, the CEO and Co-Founder of Tidelift, a very interesting company that provides enterprises with a system for managing security, licensing, and maintenance across open source products that are becoming an enormous percentage (70% or more!) of enterprise software code. Tidelift is also providing open source developers with the tools to institutionalize and monetize their content to connect their earnings potential to the value of their offering.
Private Markets
Panther, the cloud-scale security analytics platform, announced their $120M Series B at a $1.4B valuation led by Coatue Management.
Netlify, the serverless JAMstack platform, announced their $105M Series D led by Bessemer Venture Partners.
Upbound, building a Universal Cloud Platform on Crossplane, announced their $60M Series B led by Altimeter Capital.
PlanetScale, building scalable, transactional databases, announced their $50M Series C led by Kleiner Perkins.
Alluxio, the in-memory file system for data orchestration, announced their $50M Series C led by a leading global investment firm.
Gradle, building software for developer productivity, announced their $27M Series C led by Triangle Peak Partners.
Bit, helping front-end developers collaborate on component-driven software, announced their $25M Series B led by Insight Partners.
Conduktor, building an enterprise Apache Kafka platform, announced their $20M Series A led by Accel.
Elementl, the company behind Dagster, announced their $15M Series A led by Index Ventures.
Cerbos, building the future of user permissions and authorization, announced their $3.5M Seed led by Crane with participation by OSS Capital.
Public Markets
To track the performance of COSS companies, we’ve created an equal-weighted index comprised of public names including Gitlab, Kaltura, Couchbase, Confluent, MongoDB, Elastic, Rapid7, Fastly, and Jfrog.
The COSS Index retraced levels not seen since August of this year down nearly 12% over the last two weeks.
COSS Index -16%
NASDAQ +18%
S&P 500 +22%
After several months of resurgence, the COSS Index also retraced to roughly the same level as the Nasdaq over the rolling past three years.
COSS Index +111%
NASDAQ +111%
S&P 500 +70%
COSS companies continued their downward trend losing 3 multiple turns (to bring the total to 6 turns over the last month!) as valuations compressed. All three indices continue to trade significantly higher than their rolling five-year average but the delta is narrowing.
COSS Index: Current Multiple 19.9x | Five-Year Mean: 12.0x
Emerging Cloud Index: Current Multiple 12.0x | Five-Year Mean: 10.0x
NASDAQ Composite: Current Multiple 4.3x | Five-Year Mean: 3.4x
OSS Newsletter interview with Donald Fischer, CEO and Co-Founder at Tidelift.
OSS Newsletter:
What is your background?
Donald:
I'm the CEO and co-founder of Tidelift. I'm a software developer by trade. So when I fill out the landing card on the airplane, I write software engineer. But what I've ended up specializing in, over about 20 years now, is Open Source software. I started as a user of what was really the free software movement at that time, which has evolved into today’s Open Source. And I’ve had a chance to go from being a user of Open Source to working on a number of the big enterprise businesses that have been built around Open Source.
Early in my career, I had the good fortune of being an early product manager for Red Hat Enterprise Linux and helping to take that product to market. Which was really one of the biggest, largest enterprise successes for Open Source. And then I actually spent 10 years as a venture capital investor, first at Greylock and then at General Catalyst, again, where I hyper-focused on Open Source, leading a number of Seed and Series A deals in Open Source companies. And basically what I got fascinated by, was this emergent phenomenon of humans working together to create Open Source that's enabled by the internet. Unlike so many other things, It's actually a good thing that people do together on the internet!
I'm fascinated with the idea of designing businesses that can amplify the energy that comes out of these communities of people on the internet that are building this open-source software. Personally, my mindset is always around amplifying, versus harvesting the energy of those communities. I think the big win for everybody, including all the users of Open Source, is when you find commercial models that amplify it and put more energy back into the system than they take out. That can be an amazing thing. And that led up to what we're doing with Tidelift.
OSS Newsletter:
What is Tidelift?
Donald:
Open Source has taken over so many aspects of software and there are these huge platform companies around some kinds of open source projects such as Linux and different applications, or system services like databases: MongoDB, Elastic, Confluent, and now many others. But there's one part of the Open Source landscape that I couldn't avoid staring at, that really has not been enterprise-enabled to the degree that it needs to be and that's the Open Source ingredients that go into applications. It's true today and it's been true for a number of years now that if you take any application that's being built by a vendor and then sold to a software company or a SaaS company, or a custom application that's getting built within an enterprise like a financial services company building a trading application, if you x-ray what actually goes into the application that gets built, at least 70%, increasingly 80% or more, of the lines of code there, are third-party Open Source. Those are coming from language-specific package managers like NPM or the Python Package Index, or Maven Central for Java. These packages originate in Open Source projects that are posted on GitHub and other collaboration platforms. And the crazy thing is there's no Red Hat for the vast majority of that stuff. The vast majority of it is organically produced. It's consumed by 100% of the Fortune 500 companies. And also every other company that's doing anything with software. But there's nobody validating that it meets the standards serious organizations require.
All this software is part of what's become known now as the software Open Source software supply chain. And there was this huge missing ingredient in the market we observed: for somebody to look after that, and make sure that it meets some of the security, legal, licensing, and proactive maintenance standards that would be considered bare minimum requirements for any enterprise-grade, commercial-grade software in a traditional setting. How could it be that everybody's using this huge body of software, but not asking any questions or investing to make sure that it meets certain standards? So that's the idea that led to Tidelift.
OSS Newsletter:
Given Tidelift’s unique vantage point, how do you see Open Source being adopted by the enterprise?
Donald:
I think it just snuck up on a lot of organizations, how central Open Source becomes. It's actually the case now that for most contemporary software assets that you would build, whether it's a web application or a mobile app, it's increasingly difficult to build that without using Open Source. You just wouldn't be able to get far enough to ship something that would feel like a complete application. You're going to end up using all kinds of JavaScript and other Open Source components. So that already happened, is the crazy thing. And the challenge at a minimum is to make sure that all that software meets certain security standards.
For a while, people put it off. They said, "Hey, this hasn't really been a problem. So let's just go with the flow," but then it started becoming a problem. And especially over the last 12 months, starting with the SolarWinds breach, which was not an Open Source supply chain attack, but was a software supply chain attack. And then a whole sequence of other breaches, both Open Source, and non Open Source software supply chain attacks. Now it's actually become a critical issue and it's increasingly becoming mandatory. In May, the White House put out an executive order on cybersecurity, that mandates any company conducting business with the federal government in any of its agencies to start making representations about what's going into their software. Including a so-called Software Bill of Materials or ingredients list. And not only listing what's going in there, including all the Open Source but testifying to the fact that it meets basic security practices and standards.
And essentially very few organizations are equipped to answer those questions, to even know the list of all of the Open Source that's flowing into their applications. Much less feel confident saying, "Yeah, this has been determined to meet a defined reasonable set of security practices." So that's a problem that we at Tidelift help them solve. And it's a really profound problem for organizations right now, not the least of which because it’s becoming mandatory. The federal government is using its purchasing power to force this onto the industry, to try to address this sequence of disasters, from SolarWinds to Colonial Pipeline and beyond.
OSS Newsletter:
What should young companies and founders be thinking about as they build open-source solutions to address these issues?
Donald:
I'm tempted to answer that question two different ways. So one is for new business ventures that are building Open Source related technologies and selling, or selling services around them, to companies. But also the same question is applicable to just folks that are creating Open Source projects that are of general use and putting them out there, and then they end up getting consumed by organizations of all shapes and sizes. When we look at what are the basic core standards that software, whether it's Open Source or not, needs to meet to be safe to use in a reasonable enterprise that has data security needs, it comes down to three broad categories.
So one of them is security. And the minimum hygiene standard there is, ensure that the software that you are using and deploying in production does not have known security vulnerabilities in it. Most organizations don't have a process and tooling in place to ensure even that. And then you get into proactive things you can do to close the door to future vulnerabilities that may arise or be discovered. And part of that is having a defined plan, a security response plan in place with all of the folks who need to make changes to the software, pre-configured and agreed on what's going to happen if, and increasingly when, there's a security vulnerability discovered in the future. So Tidelift's perspective on this is that we work with those Open Source maintainers to get all of that wired up in advance, and to ensure that the software meets these standards today. But also that we know what to do when there is a security vulnerability in the future. There are dozens every week as of now. So that's the security bucket.
There's a second bucket that's important to a lot of organizations, around the complexities of Open Source licensing. And the key challenge there is just getting clean, authoritative license data around metadata, around these Open Source packages. Who wrote it? What Open Source license or licenses is it under and how do we know? What's the chain of custody from somebody writing the code to this asset? And is the information complete and accurate? Typically, most of the software that you just grab from an Open Source package manager, it may say Apache or another license, but a lot of it has not been vetted to a really commercially reasonable standard of accuracy or completeness. That's one of the places where Tidelift works with the maintainers to bring things up to enterprise standards.
And then the third area that again, applies to all software, but now people are trying to figure out how to get Open Source to conform to this reasonable expectation, is maintenance. Is somebody looking after this software on a going-forward basis, or is this just some code that was thrown out there and it's not going to be maintained to adapt to technology, ecosystem changing around it, or respond to security issues? And so that's another area of our business at Tidelift. One of the things we do is we work with those Open Source creators to come up with a plan and get their input on, "How long are you going to maintain this version of this software? What do we mean by maintain?" These are the things that are going to be done. So security, and licensing, and maintenance are the three broad categories of things that we work with organizations to figure out around their Open Source usage.
OSS Newsletter:
What is the future of Tidelift?
Donald:
It's really exciting. This is a really big idea and it's fun to work on, especially for an Open Source obsessed nerd myself, who's been staring at this problem space for decades now, it's scary to say. So the key special sauce of our new way of going about this is that we have this direct economic relationship with the original Open Source creators. And usually, that's a side hustle for most of them today. We're actually paying them to do this tedious, often boring work of ensuring all of these processes are in place and there are security response things, and going through all the vetting, all of the security vulnerabilities, and putting the license information into a structured format. It's the boring stuff. It's a lot of the stuff that Red Hat does for Linux, or other vendors have done for other parts of Open Source.
We're just doing it for this really, really broad collection of more than 10,000 Open Source projects across all these application development ecosystems. So the first goal is to augment their day job with Tidelift income because then they can spend more of their time on maintaining their Open Source projects. And then our real vision for the company is, then they should be able to go way beyond that because if you are the creator and maintainer of a widely-used Open Source package, you are enabling all kinds of organizations, whether it's an energy industry business, or healthcare, or a government agency. They're creating a ton of value in the world.
And historically, they haven't really been able to participate in it, we think they should. So the vision for the company is these folks should be a different kind of content star. YouTube stars or movie stars of old can have uncapped earning potential. We think that logically Open Source creators should have access to that kind of a channel. And the really cool thing is we found out a way to connect the value that they create, including doing the last bit of this enterprise readiness work, to value received.