Patchstack Raises $5M Series A to Enhance Open-Source Cybersecurity Solutions

Estonian cybersecurity startup Patchstack has successfully closed a $5 million Series A funding round to advance its mission of securing the entire lifecycle of open-source software and offering rapid responses to emerging security threats. The funding round was led by Karma Ventures, a venture capital fund specializing in deep-tech software companies. The round also saw participation from G+D Ventures, a German investor in trust technology, and Emilia Capital, the investment firm founded by Yoast creators Marieke van de Rakt and Joost de Valk.

Patchstack’s primary aim is to address the critical issue of slow response times to security vulnerabilities, which typically take over 200 days to patch. The company provides developers with tools to quickly identify, prioritize, and auto-mitigate new vulnerabilities, offering real-time protection without requiring user interaction or code changes. This approach helps maintain the integrity of applications while delivering fast and efficient security measures.

In addition to its core services, Patchstack has recently released a free tool, co-funded by the European Union, designed to assist open-source software vendors in complying with the forthcoming Cyber Resilience Act. This Act, finalized in March 2024, is expected to be enacted later this year. It aims to enhance cybersecurity and resilience in the EU by setting common standards for digital products, including mandatory incident reports and automatic security updates.

Patchstack's services currently protect over five million websites, preventing millions of attacks. Their clientele includes notable names like GoDaddy, Digital Ocean, and Plesk/cPanel. Initially focused on WordPress, the world's largest open-source content management system, Patchstack plans to broaden its scope to support additional content management systems (CMSs) and expand into the wider open-source software ecosystem.

A key strength of Patchstack is its extensive access to vulnerability data. The company has pioneered a gamified bug bounty program and manages the Vulnerability Disclosure Program (VDP) for WordPress plugins, attracting thousands of ethical hackers. This success has established Patchstack as a leading provider of open-source security intelligence and the largest CVE (Common Vulnerabilities and Exposures) Naming Authority by volume in 2023. Last year, Patchstack was responsible for publishing 76% of all known WordPress-related security vulnerabilities.

Patchstack’s achievements also include being selected by Google for their AI for Cybersecurity accelerator program earlier in 2023. This selection underscores the company’s commitment to expanding its AI capabilities using its extensive dataset of open-source security vulnerabilities.

Founded by Oliver Sild, CEO, and Dave Jong, CTO, who initially connected through a PHP Security subreddit in 2016, Patchstack has evolved significantly. Sild was previously involved in incident response and malware research, while Jong focused on web application penetration testing. Together, they have built Patchstack into a leading player in the open-source security space.

Kristjan Laanemaa from Karma Ventures expressed enthusiasm about partnering with Patchstack, highlighting the team’s mission to safeguard users of open-source technologies. Alberto Pérez Arranz from G+D Ventures commended Patchstack’s leadership and commitment to delivering value through its innovative security solutions. Sild noted that the Series A funding will enable Patchstack to accelerate product development and expand its sales and marketing efforts, following previous support from the European Innovation Council.

With the new funding, Patchstack aims to enhance its product offerings and solidify its position as a top-tier provider of open-source software security, helping companies and vendors meet the requirements of the European Cyber Resilience Act and address the growing demand for effective vulnerability management.