[chuckgreenman]

Interesting to see the differences between Github and Gitlab's strategy in this arena.

Github appears to be going the aqui-hire route with Semmle, dependabot, pullpanda etc, where as I don't think Gitlab's made an acquisition for a year or two.

[troydavis]

GitLab published what they're interested in: https://about.gitlab.com/handbook/acquisitions/. It's an amazing, one-of-a-kind doc. One of their constraints (https://about.gitlab.com/handbook/acquisitions/#what-we-offe...) is quite limiting, though:

> The total purchase price of the deal, paid in cash, will not exceed $1M and will be the total and only compensation for the entire deal.

[andrewprock]

They are looking at companies that: "Raised under $10M total investment funds, last round being over 3 years ago"

This implies that in addition to self-funded ventures, they are looking for fire sales from failed start-ups.

[pnako]

It looks like they're buying (big) features, not complete solutions or companies. That's actually an interesting approach; I'm sure others do that, but maybe not as explicitly.

It would allow a small team of hackers to have a decent exit without having to go through the whole startup road.

[claytonjy]

Gitlab hasn't generally seemed interested in these sorts of free scanning tools. I wonder if that's because their users are much more weighted towards private/self-hosted than Github's are? Because so little open source happens on Gitlab, they can't buy good PR through this kind of strategy like Github can.

[leblancfg]

I've been looking quite a bit into this recently, and even though they might not be screaming it from the rooftops, Gitlab offers quite a few security-related features. There are code scanning, dependency tracking, etc. features at various levels of readiness.

https://about.gitlab.com/devops-tools/ https://about.gitlab.com/stages-devops-lifecycle/secure/

[prepend]

They’ve had SAST tools for a few releases, but high up in the paid license types. With GitHub providing for free, they may need to move them into CE.

[beckler]

Their scanning tools are "source available", but they're definitely not open-source. The license is gonna be a non-starter, but how they built their SAST tool [0] is actually quite interesting.

It just uses existing open-source analysis tools, but orchestrates them all into a single tool by coordinating a bunch of docker images.

[0] https://gitlab.com/gitlab-org/security-products/sast

[andyljones]

Microsoft has $130bn cash-on-hand.

The surprise is really that they're not being more aggressive in their acquisitions.

[pbhjpbhj]

They should be like Yahoo was and buy everything they see? (for billions, only to sell it at a massive loss later)

I've not heard from Yahoo in a year at least, do they still exist ...

[chongli]

I just got an email from Yahoo about a settlement in a class action lawsuit over a massive data breach. It said something about Yahoo paying for 2 years of credit monitoring service to anyone affected by the breach.

Maybe that's not exactly what you were looking to "hear from" Yahoo about, though...