Estonian Cyber Security Begins Patchstack has raised a new funding round of $5 million to advance their mission to cover the entire lifecycle of open source security to provide the fastest mitigation of the emerging security threats.
Patchstack’s Series A round was led by Karma Ventures, an early-stage venture capital fund focused on deep-tech software companies, with participation from G+D Ventures, the German TrustTech investor, and Emilia Capital, the investment firm of Yoast founders Marieke van de Rakt and Joost de Valk.
On average it takes more than 200 days to fix a critical security vulnerability. Patchstack helps developers quickly identify, prioritize and automatically mitigate new vulnerabilities and provides the fastest vulnerability protection in real time. By combining their vulnerability intelligence with application vPatching technology, Patchstack does not require user interaction or code changes, thus maintaining the application’s full integrity.
The company have now released their free tool co-funded by the EU for open source software vendors helping commercial projects to comply early with the upcoming Cyber Resilience Act. The final version of the Cyber Resilience Act was confirmed in March 2024 and is expected to be passed into law later this year. The Cyber Resilience Act (CRA) is an EU regulation for improving cyber security and cyber resilience in the EU through common cyber security standards for products with digital elements in the EU, such as required incident reports and automatic security updates.
Today, more than five million websites are scanned by Patchstack’s vulnerability intelligence, and millions of vulnerability attacks are prevented using Patchstack’s vulnerability mitigation. Their current clients include GoDaddy, Digital Ocean, Plesk/cPanel, and many others. While the company’s first solution was made for WordPress, the world’s largest open source content management system that powers more than 40% of all websites, it is preparing to support other CMSs and plans to expand into the broader open source software – ecosystem.
Patchstack’s unique strength is its access to vulnerability data. The company launched its first gamified bug bounty program and ran the Vulnerability Disclosure Program (VDP) for WordPress plugins, attracting thousands of ethical hackers to find and report new security vulnerabilities. This program’s success made Patchstack the leading open source security intelligence provider and the largest CVE (Common Vulnerabilities and Exposures) Name Authority by volume in 2023.
Last year, Patchstack published 76% of all known WordPress-related security vulnerabilities, demonstrating their market dominance. Earlier in 2023, Google selected Patchstack for their AI for Cybersecurity accelerator program to help expand their AI capabilities using their unique and extensive dataset – the world’s largest dataset of open source security vulnerabilities.
Patchstack founders met in 2016 on a PHP Security subreddit. Oliver Sild, the CEO, then did incident response and malware investigation, and Dave Jong, the CTO, did web application penetration testing. They have since built Patchstack.
“I’ve been following Patchstack’s progress for quite some time, had very good conversations with Oliver and think that the team is on a noble and exciting mission to protect users of open source technology from cyber threats. I’m really glad that Oliver and his team chose to partner with Karma Ventures and I look forward to working with the team and our co-investors on this opportunity,” said Kristjan Laanemaa of Karma Ventures.
Patchstack aims to become the leading open source software security company and help companies and software vendors comply with the upcoming European Cyber Resilience Act. The law adds huge momentum and customer demand for Patchstack as it requires companies to have vulnerability management and software oversight across the supply chain. Additionally, software developers should have VDP programs, which Patchstack provides, as they cover the entire lifecycle of open source software vulnerabilities.
“We are pleased to join Patchstack’s vision to automate open source software security with its unique approach to proactively protect applications from vulnerabilities. We are particularly impressed by Patchstack’s exceptional leadership and remarkable talent, along with its focus on delivering value based on quality and execution for its customers and partners. We look forward to a hands-on partnership with both the Patchstack team and investors, shaping a more secure digital future together,” said Alberto Pérez Arranz of G+D Ventures.
“We are a small but very effective team. With the data and technology we possess, we believe we can potentially hyper-automate the entire open source software security process,” said Oliver Sild, co-founder and CEO. “Two years ago, the European Innovation Council supported our R&D efforts with a grant of 2 million EUR, which then allowed us to build a great product and grow our recurring revenue organically two to three times a year. Now, with the Series A, we plan to accelerate Patchstack product development and build a top-tier sales and marketing team,” he added.