What our reports reveal — before the headlines.
Every report below is a real technical due diligence assessment run against a real public codebase. These are not simulations. Each includes a blockchain-anchored Data Handling Certificate proving exactly how the analysis was conducted.
Supply chain attack
XZ Utils — The Backdoor That Nearly Compromised Every Linux Server
Incident disclosed March 2024
XZ Utils is a compression library embedded in virtually every Linux distribution. In March 2024, a sophisticated backdoor was discovered — a malicious contributor had spent over two years building trust with the sole maintainer before inserting code that targeted SSH authentication on millions of servers worldwide.
The backdoor was caught by accident. A Microsoft engineer noticed a 500-millisecond latency anomaly during routine benchmarking. Without that observation, the compromised code would have shipped in stable releases of Debian, Ubuntu, Fedora and others.
What our report flagged
Key findings from the Polaris assessment
- Supply chain: CRITICAL — known supply chain incident detected and independently verified against advisory databases.
- Bus factor: MEDIUM — extreme contribution concentration from a single author. A textbook single-point-of-failure that made the social engineering attack possible.
- Governance: HIGH — Grade D governance score (3.6/10). No secondary maintainer, no code review infrastructure, no organisational oversight.
- Copyleft licence: CRITICAL — GPL licensing creates potential IP contamination risk for any organisation integrating this library into proprietary software.
None of this required inside knowledge. Every one of these findings was visible in the public repository, waiting to be read. The bus factor alone should have been a red flag for any organisation depending on it.
Critical vulnerability — global impact
Apache Log4j — The Dependency That Brought Down the Internet
Incident disclosed December 2021
In December 2021, a critical remote code execution vulnerability was disclosed in Apache Log4j — a Java logging library so widely used that it was embedded, often without anyone knowing, in hundreds of thousands of applications worldwide. CVE-2021-44228 scored a perfect 10.0 on the CVSS severity scale.
What our report flagged
Key findings from the Polaris assessment
- 31 known vulnerabilities across 16 of 264 dependencies — 3 rated critical, 15 rated high. Even post-patch, the dependency tree carries material security exposure.
- Bus factor: MEDIUM — elevated contributor concentration (Tier 4). A project this widely depended upon, with this level of maintainer concentration, represents operational risk.
- Architecture: MEDIUM — 21 circular dependencies across the module graph, indicating structural complexity that increases the cost of future changes.
Every one of these findings was visible in the public repository. An investor or acquirer reviewing a target company's codebase would have had a complete dependency inventory with known vulnerabilities flagged, severity rated, and exposure classified — before the incident made headlines.
Complex production codebase
Grafana — 4 Million Lines, Critical Secrets, Supply Chain Exposure
Active project · 18,000 files · TypeScript/Go
Grafana is a widely-deployed observability platform used by organisations worldwide. At 4 million lines of code across 18,000 files, it represents the kind of complex, actively-maintained production codebase that acquirers encounter in real transactions.
What our report found
Key findings from the Polaris assessment
- Secrets: CRITICAL — 3 critical-severity credentials detected in the repository, plus 6 additional findings across 9 total exposures.
- Dependencies: CRITICAL — 2 critical CVEs across 1,337 dependencies. Significant attack surface.
- Supply chain: CRITICAL — 2 critical supply chain incidents associated with project dependencies.
- Malware heuristic: MEDIUM — 18 suspicious code patterns flagged for manual review.
- Architecture: MEDIUM — 23 circular dependencies detected across the module graph.
This is what a comprehensive TechDD assessment looks like on a large, real-world codebase. The report quantifies risks that would take a manual review team weeks to identify.
Enterprise .NET codebase
Bitwarden Server — Enterprise Security Software Under the Microscope
Active project · 5,758 files · C# / .NET
Bitwarden is a widely-adopted open-source password manager. Its server component is a substantial C# .NET application — the kind of enterprise codebase a PE firm might encounter when evaluating a security software company.
What our report found
Key findings from the Polaris assessment
- Tech debt: HIGH — 868 debt markers (2.3 per thousand lines of code). Significant accumulated technical debt that could slow feature delivery post-acquisition.
- Secrets: MEDIUM — 6 credential findings detected in the repository.
- Architecture: MEDIUM — 11 circular dependencies across 3,466 modules, indicating tightly coupled subsystems.
- Copyleft licence posture — project-level copyleft detected, relevant for IP assessment in acquisitions.
Even well-regarded security software has quantifiable risks when examined at the code level. This report demonstrates how Polaris handles complex enterprise .NET codebases with large dependency trees.
Popular Python framework
FastAPI — A Widely-Adopted Framework With Concentration Risk
Active project · 2,743 files · Python
FastAPI is one of the most popular Python web frameworks, used by companies from startups to enterprises. It represents a common scenario in acquisitions: a well-known, well-documented project that still carries risks only visible through code-level analysis.
What our report found
Key findings from the Polaris assessment
- Bus factor: MEDIUM — critical contribution concentration (Tier 3, capped from high for library archetype). The framework's ongoing development depends heavily on a small number of contributors.
- Architecture: MEDIUM — 9 circular dependencies detected, indicating coupling that could complicate future refactoring.
- Code quality: Grade B (62/100) — acceptable quality, but 5 high-severity potential security anti-patterns flagged for review.
- Governance: MEDIUM — Grade C governance score (5.3/10). Moderate gaps in project governance practices.
Not every risk is a showstopper. FastAPI demonstrates how a Polaris report helps acquirers and investors understand the nuanced risk profile of a popular, actively-maintained project — identifying areas that might require investment post-acquisition.
Clean across all dimensions
Express.js — What a Clean Report Looks Like
Active project · 175 files · JavaScript
Express is the most widely-used Node.js web framework. It has been maintained for over a decade by a dedicated team with strong governance practices. This report demonstrates what a clean technical due diligence assessment looks like — no critical findings across any of the 13 risk dimensions analysed.
What our report found
Key findings from the Polaris assessment
- All 13 dimensions: CLEAN — no critical, high, or medium-severity findings across secrets, dependencies, licences, bus factor, code quality, architecture, test coverage, infrastructure, tech debt, governance, maturity, malware, or supply chain.
- Code quality: Grade B (79/100) — well-maintained codebase with consistent coding standards.
- 30 active contributors — healthy contribution distribution with no single-point-of-failure.
- Zero known vulnerabilities across 44 dependencies.
Not every codebase is a risk. A clean Polaris report is a powerful signal to investors and acquirers that the technology foundation is sound — providing confidence to proceed with a transaction.