Black Duck Offers Free Software IP Scanning Until 2006

by Timothy Prickett Morgan

When any new idea comes to market, it takes a little time for it to be understood and absorbed by companies, and the fact that the company promoting a product that encapsulates that idea needs to pay its employees and bills can complicate and extend the product ramp-up process. But sometimes, you just have to give the product away for a while to get a large potential customer base, and that is what Black Duck Software has decided to do with its protexIP OnDemand service between now and the end of the year.

The proliferation of open source programs have allowed programmers at commercial application development firms as well as internal software development teams to create applications more quickly than starting from scratch. But all of those open source programs have licensing terms, and not adhering to them is a legal issue. To help companies figure out what open source programs they--or third-party developers that they have hired--are using in their code, Black Duck launched protexIP, a code scanner that contained tens of megabytes of code-snippet fingerprints to identify open source code.

The core protexIP product, which was launched in December 2004 after two years of development, is a licensed program that companies ran in their own data centers and used to scan their code to see if it contained any known open source programs and, if so, to identify the licensing risks that companies might incur if their code contained such code. Pricing for protexIP came to $9,500 per year for two developer seats for the license management module and $12,500 for five developer seats. This was a bit high for a lot of small development organizations, which is why in April 2005, after getting about a dozen paying customers for the full protexIP product, Black Duck launched the protexIP OnDemand online service. Rather than run protexIP on your own servers and development workstations, the OnDemand service allows you to scan your code online using Black Duck's own servers back in its data centers. The amount you pay for the online service depends on how much code you scan: It costs $3,000 for 10 MB of scans, $6,250 for 25 MB of scans, $12,500 for 50 MB of scans, $18,750 for 75 MB of scans, and $25,000 for 100 MB of scans. The OnDemand service only works for a 90-day term and can only be used by a single user for a single project; if customers are scanning a lot of code, then it makes sense to go for the full, on-site, multi-user version of the protexIP software.

Doug Levin, Black Duck's CEO, says that offering protexIP OnDemand for free until December 31 is not just about testing the pricing elasticity of the protexIP products or trying to steal some business away from the relative new competitor that Black Duck has, namely Palamida and its IP Amplifier product, which does IP scanning for open and closed source software. He says that the marketing program is called "No Excuses," and that is what it is really about. "In most of the companies we go into, we are invited it," Levin explains. "But there are companies that we are not being invited into because even though customers might want to try protexIP, it is still a new concept." Getting together anywhere from $3,000 to $25,000 of budget for one developer to scan one project is no easy task, either. "We want to show that software compliance can apply to any company and to encourage companies to try it." Levin says that the more than 50 customers who have paid for the full protexIP product and the two dozen or so customers currently using the online service are aware of the limited-time freebie offer and understand why Black Duck is giving away--for a short time only--something that they have paid for.

To help make its case, Black Duck asked the analysts at Gartner to pipe up on the scope of the software IP problem as part of its announcement of the free service through the end of 2005. "Through year-end 2008, 70 percent of large enterprises will neglect to implement formal corporate guidelines and best practices applied to open source," says Mark Driver, vice president and research director at Gartner application development technologies and open source software practice. "Without such practices, the majority of these enterprises will unknowingly have deployed some poorly documented, 'unauthorized'" systems running open source code or combinations of OSS and commercial code."

Levin says that most companies that need to scan their source code have maybe 1 MB, 2 MB, or 3 MB of code, and that only large companies or application software development firms have anywhere near 25 MB of code. What this data suggests to me is that Black Duck might want to think about offering a product or a service that is priced low and aimed at companies with more modest budgets and much smaller code bases to scan. It is understandable why Black Duck aimed high to start, but perhaps in the company's product update due neat year, it might want to consider a low-end product. For all we know, this test is about seeing how many SMB customers and small software shops would use the product if it is free. That's my guess--and it is a guess.

Black Duck can afford to be generous in the short-term thanks to some venture capital money. Back in June, Black Duck raised $12 million in second-round venture capital funding to help it fuel its growth. The funding was lead by Fidelity Ventures and Intel Capital and SAP Ventures, the investment arms of the chip maker and the ERP software maker, also tossed some dough into the Black Duck nest. The initial investors who put up $5 million in July 2004 for Black Duck's first round of funding--Flagship Ventures, General Catalyst Partners, and Red Hat--also lined Black Duck's nest in this second round of funding. Black Duck and Intel also signed a technology and marketing agreement in June to optimize Black Duck's protexIP software licensing compliance software for Intel's 64-bit Xeon servers.

Black Duck has beefed up its data centers to brace itself for a big demand boost for protexIP OnDemand, and wants to remind everyone that thanks to its partnership with VA Software, the owner of the SourceForge open source project repository, to have VA Software resell protexIP with the commercial version of its SourgeForge development platform and, more importantly, allows Black Duck to host a full mirror of the SourceForge site at its data centers. (Palamida also has the same mirror, by the way.) By having a replicated version of SourceForge, Black Duck can keep its code-snippet fingerprints absolutely in synch with a large portion of the open source development community. In fact, this has doubled its code snippet library from 40 MB to 80 MB. The SourceForge deal also means that Black Duck doesn't have to keep track of which projects are in SourceForge any more, and it can then more fully automate the process of creating the code snippet fingerprints that identify each project in SourceForge. This has to reduce the cost of creating the protexIP product, which is another reason that I believe Black Duck will eventually offer a less-expensive version of its protexIP product.

In a separate announcement, Black Duck has announced that Janpieter Scheerder, a 10-year veteran of Sun Microsystems who used to run its software unit and who spent 15 years at the server and workstation maker Data General (long since absorbed into disk array maker and software wannabe EMC), has joined Black Duck's board of directors. Scheerder was the lead engineer on Data General's Aviion workstations and Clariion RAID disk arrays. Black Duck also has hired Douglas Johnson as its chief financial officer, replacing interim CFO, Cindy Smith. Johnson has been a high-level executive at a number of small software companies, including CFO at THINQ Learning Solutions and executive vice president of operations and finance at Softlock.com, a distributor of software over the Internet.