Open Letter to the Board of Directors of GitLab Inc. (NASDAQ: GTLB)
September 25, 2023

September 25, 2023
To the Board of Directors of GitLab Inc.:
In researching GitLab Inc.’s revenue recognition and IT controls practices resulting from the adverse opinion issued by KPMG on GitLab’s 10-K filed on March 30, 2023, I have found numerous egregious and blatant security and accounting failures occurring at GitLab Inc. I do not believe at present time that GitLab Inc. should advertises itself as “DevSecOps” when in fact GitLab Inc. completely fails to secure its own customer and Sarbanes-Oxley compliance data and makes these available on the public internet.
GitLab Inc. is committing malpractice toward its shareholders. I have taken a position short the equity of GitLab Inc. as this business clearly does not care about customer data protection, security practices, or proper revenue recognition practices.
To wit:
I: It is a detriment to shareholders that GitLab Inc. makes public internal communications about accounting, audit, revenue recognition policies, internal operations, and strategy. This is completely unacceptable behavior for a publicly traded company.
II: I believe there is strong evidence suggesting that GitLab Inc. is using non-GAAP methods relating to “Merge Requests” and other code patterns to inappropriately recognize revenue and/or cost of revenue. I believe this is a deliberate manipulation under ASC 606. Further, I believe there is strong evidence that shows these code patterns GitLab Inc. uses to allocate revenue recognition and/or cost of revenue lies a single dashboard in business intelligence tool Sisense, with accounting logic held in dbt Labs products, run on Snowflake cloud data warehouse software. Additionally, I see strong evidence suggesting that GitLab Inc. management is also using incorrect data for their “Merge” and code churn accounting metrics.
III: In researching GitLab Inc.’s accounting and IT controls practices, I came across egregious failures relating to customer and partner data sharing. This is unacceptable.
IV: I do not believe GitLab Inc.’s recent appointment of Ms. Erin Mannix to the role of Chief Accounting Officer will meaningfully address any of the major accounting and IT control issues. Ms. Mannix’s recent tenure as Chief Accounting Officer of Unisys Corp (NYSE: UIS) saw this organization fail to produce a 10-Q on time. I also believe GitLab Inc. has papered over a number of accounting deficiencies given GitLab Inc.’s former status as an “emerging growth company” defined under federal securities laws, and once this “emerging growth company” status was removed, a number of issues have appeared which seem to have no resolution in sight.
V: I believe GitLab Inc.’s premium offering, the Ultimate plan, is seeing higher than expected churn in addition to lower than expected adoption. GitLab Inc.’s decision to mandate professional services as an add-on for Ultimate plan adopters shows the inherent weakness in the product offering. GitLab Inc. shareholders should be aware of this headwind relating to GitLab Inc.’s product offerings. Additionally, I see major headwinds to GitLab Inc.’s ability to retain revenue from existing given current economic conditions. I do not believe GitLab Inc. products are positioned to compete with GitHub given the superiority of GitHub’s AI Copilot offering.
KPMG’s adverse opinion and GitLab Inc.’s revenue recognition policies
GitLab Inc. filed Form 10-K, dated March 30, 2023, which included an adverse opinion from auditor KPMG LLP.
This document can be found here.
In the section titled “Report of Independent Registered Public Accounting Firm” KPMG notes an (extremely rarely issued) adverse opinion of GitLab Inc.’s effectiveness of internal control over financial reporting, noting in the document that “this material weakness affects substantially all financial statement accounts.”
Noted in the document are two key matters related to KPMG’s adverse opinion:
KPMG evaluated GitLab Inc.’s standalone selling prices (SSPs) for self-managed subscription and self-managed license performance obligations. Since these offerings are self-managed by customers, it appears that GitLab Inc. may be using a methodology to calculate costs and/or revenue recognition related to the self-managed products that do not align with GAAP standards.
KPMG found practices around manual journal entries and stock-based compensation practices that failed to have adequate controls and impact GitLab Inc.’s consolidated financial statements.
Additionally, earlier in the 10-K filed on March 30, 2023, GitLab Inc. notes revenue recognition practices of their self-managed offerings, noting that they allocate “up to 23% of the entire transaction price” upfront as the right to use the underlying software as “License revenue - Self managed” while allocating the remaining value as “Subscription revenue - Self managed” post-contract customer support.


I note that this 10-K filed on March 30, 2023 shows that GitLab Inc. is no longer considered an “emerging growth company” and is now a “large accelerated filer” for the foreseeable future.
Additionally, I note that GitLab Inc.’s S-1 filing on September 17, 2021 has different allocations noted with regard to revenue allocation.
GitLab’s S-1 may be viewed here.



This change from 1–15% upfront revenue recognition when the company was an “emerging growth company” to its recent change to “up to 23% allocation” upfront shows that GitLab Inc. is in some way moving increasing revenue forward as the market changes and developer and technical employee layoffs have occurred throughout the market. I do not believe GitLab Inc. is doing its shareholders justice by failing to properly address nuance associated with this change to revenue recognition. Further, I will show evidence in this letter of how this “performance obligation” factor of ASC 606 has been gamified by GitLab Inc. before and after IPO, with implications around revenue recognition and cost of revenue.
GitLab Inc. operates an unsecured, public GitLab account that makes public secure, private data about customers and business operations
Much of the rest of this letter includes examples of egregious security issues with the operation of GitLab Inc.’s own GitLab account, which can be viewed here.
You do not even need a GitLab account to view most of this; it’s all available on the public internet.

In researching a number of revenue recognition and IT controls issues made clear by KPMG’s adverse opinion, I found numerous examples of employee communications related to Sarbanes-Oxley compliance, business strategy, financial reporting, and customer data all on the public internet.
The fact that GitLab Inc. cannot be bothered to properly secure their own internal communications about SOX issues and financial operations should give investors, customers, and potential customers major cause for concern. GitLab Inc. position their offerings as security and IT operations solutions, and they themselves cannot exhibit appropriate behavior regarding their own security and IT operations.
Much of the following information is derived from GitLab Inc.’s public, open internal communications. I do not believe most GitLab Inc. shareholders or even the Board of Directors know the severity and level of security issues present.
There are significant revenue recognition and cost of revenue gamification issues
On May 7, 2019 GitLab Inc.’s then-Vice President of Engineering and later Chief Technology Officer Eric Johnson opened Issue #3931 on the GitLab platform. This can be viewed here on the public internet.

This issue instructs Johnson’s engineering team to take ownership from finance a “code churn” KPI (showing the velocity of code) that feeds into GitLab Inc.’s annual auditing process.
It appears at the time, before IPO, when GitLab Inc. was still a private company, that the goal was to justify spreading revenue recognition over time, with less revenue recognition upfront and more recognized over the lifetime of the customer relationship. The stated intent of using “code churn” here is to directly increase GitLab Inc.’s valuation by ~10%.




Further, in GitLab Inc.’s public code base there exists a Merge Request opened July 13th, 2021, pre-IPO, in which SOX control information previously public was moved internal. This can be viewed here on the public internet.
In this markdown documentation, it appears that leading up to IPO GitLab Inc. modified its practice of straight line revenue recognition for subscriptions and adopted the following table. This can be viewed under “Changes” then “Quote-to-Cash” here.
I again note the absurdity and complete lack of accountability on the part of GitLab Inc. management for having this public for a time, then deleting it, then not removing the markdown changes.

It seems this is the standard GitLab Inc. was using at the time of their IPO. I believe the “code churn” or “merge” patterns GitLab Inc. is using affect how they approach ASC 606 performance obligations standards, around cost of revenue and around revenue recognition. This aligns with the “1 — 15%” allocation GitLab Inc. noted in their S-1, yet it still brings to question why they are currently now allocating 23% upfront on at least some of their offerings per their latest 10-K.
But it just gets worse.
On November 3, 2022 Issue #14163 was opened.
You can view this here on the public internet. Again, this should not be public but because GitLab Inc. management has no standards for security while touting GitLab as DevSecOps, it is on the public internet.


From this issue, it seems that there is a single Sisense business intelligence dashboard, with dbt Labs data transformation logic behind it, run on the Snowflake data warehouse, that GitLab Inc. management has used to determine MRs, or Merge Requests, that feed into either the cost of revenue calculations, or revenue recognition practices with regard to ASC 606 remaining performance obligations standards, or both, and that KPMG was not able to accurately determine whether the business intelligence and analytics results are correct. It seems this did not in fact tie out to merge requests and that GitLab Inc. did not have an accurate way to determine the amount of merges they use to proxy cost of revenue and/or revenue recognition.
I do not believe GitLab Inc.’s statement in their latest 10-K that they “are able to measure and track our development team’s efficacy by counting the number of merge requests” given the information available on GitLab Inc.’s public GitLab account. I believe GitLab Inc. made a materially false statement on their 10-K and I believe they cannot in fact accurately track merge requests in their own platform.

Additionally, I note that it appears KPMG issued an adverse opinion based on the fact that they were not able to reconcile the accounting which is partially based on MRs of GitLab Inc. and seemingly GitLab Inc. customers, because the usage of MRs, or merges, and that GitLab Inc. management appears to have used reports via Sisense and dbt Labs business logic transformations that did not tie out to the actual use of MRs. This is reflected in GitLab’s 10-K issued on March 30, 2023.


Yet, it only gets worse. On September 19, 2022 GitLab recorded Issue #711 on the platform. This is available here on the public internet.

GitLab Inc. knew as of September, 2022 that revenue generating deals were being incorrectly accounted for.
In one of the most grossly negligent examples of security operations I have ever seen, a GitLab Inc. employee and accountant posted on the public internet screenshots of communications between GitLab Inc.’s auditor KPMG and GitLab Inc. employees referring to these accounting discrepancies, including an invoice that put sensitive customer invoice and accounting information on the public internet.
This is completely unacceptable, and WalkMe would be in their rights to sue GitLab Inc. for leaking this information.




GitLab Inc.’s appointment of Ms. Erin Mannix to the position of Chief Accounting Officer is a red flag for GitLab Inc. shareholders
On June 30, 2023 GitLab Inc. publicly announced that Ms. Erin Mannix was appointed as Chief Accounting Officer. This information is available here.
I do not believe Ms. Mannix will be able to effectively clean up GitLab Inc. accounting in a manner beneficial to shareholders.
I do not believe Ms. Mannix is up to the job of cleaning up an operation that posts confidential Sarbanes-Oxley data and private customer data on the open, public internet.
I do not believe Ms. Mannix is positioned to provide greater clarity to GitLab shareholders the nature of GitLab Inc. revenue recognition and cost of revenue practices.
Ms. Erin Mannix recently served as Chief Accounting Officer of Unisys Corporation (NYSE: UIS). Unisys Corporation is a services business in the IT sector. Prior to her tenure as CAO of Unisys, Ms. Mannix was VP Corporate Controller and Global Assistant Controller of Unisys.

Unisys Corporation was unable to produce a 10-Q on time in November, 2022, which can be viewed here.
This inability to produce results on time to shareholders resulted in a near 50% drop in Unisys stock following this announcement on November 7, 2022.

Further, Unisys Corporation filed an amendment to their 10-K on November 23, 2022 which can be viewed here.

Given Ms. Mannix’s background of restatement of IT controls affecting financial reporting at her last company as CAO and as VP Corporate Controller, where her job was quite literally to manage controls over financial reporting, I believe GitLab Inc. is set up for failure following KPMG’s adverse opinion and the numerous cases of egregious security failures to protect Sarbanes-Oxley and customer data that occur at GitLab Inc.
Additionally, Ms. Mannix and finance employees at GitLab Inc. have been engaging in questionable promotional marketing activities to recruit new finance team members.


Given KPMG’s adverse opinion plus the clear changes regarding revenue recognition, I find it inappropriate that GitLab Inc.’s new Chief Accounting Officer is promoting posts that say “We believe that accounting doesn’t have to be all that serious business” and that GitLab has a 45% YoY revenue growth when there is evidence that they have changed revenue recognition standards. The last thing GitLab Inc. shareholders need is more finance employees not taking the job seriously.
GitLab Inc. shareholders should demand answers and accountability from GitLab Inc. and the Board of Directors on what the plan is to create greater transparency for revenue recognition, cost of revenue, and IT controls.
GitLab Inc. is facing enormous revenue headwinds
On May 1, 2023 GitLab Inc.’s Field Enablements team posted that they are now changing discounts offered to channel partners. This can be seen here on the public internet. Included in this issue as a comment is the schedule of new channel partner discounts as of May 1, 2023, available as a screenshot of an internal Slack message from the Field Enablements team.
GitLab Inc. investors may note the potential impact on GitLab Inc.’s financials, given their heavy reliance on partners.

GitLab Inc.’s premium offering, the Ultimate plan, is clearly facing headwinds in adoption. This plan offers additional features over the Premium plan and costs over 3x as much per user.

On April 1, 2023, a GitLab Inc. employee open an issue stating that “The board is strongly suggesting making professional services mandatory on all ultimate opportunities…” with accompanying documentation. This issue can be viewed here on the public internet.

This clearly shows that the Ultimate plan list priced at $99/month per user is experiencing churn issues among larger accounts, with the need for GitLab Inc. to supplement customer usage with professional services. I would expect that professional services revenues will increase going forward on GitLab Inc.’s consolidated financial statements.
Further, I again question what exactly the revenue recognition policy is regarding Ultimate plan customers. If churn is so high that GitLab Inc. is now mandating professional services attachments, it brings into question how GitLab Inc. is allocating revenue recognition. If GitLab Inc. needs to justify post-contract support for allocating revenue in the absence of customer usage, professional services attached to the Ultimate plan can provide justification.
Additionally, GitLab Inc. is currently facing an existential crisis regarding AI, specifically the adoption of Copilot from competitor GitHub, owned by Microsoft. GitHub Copilot allows customers to add automation to code development and will likely save developer time and headcount. GitLab Inc. is quickly falling behind as developer headcount has contracted across the market with significant tech layoffs, a trend I believe will continue into early calendar 2024.
In Summary
GitLab Inc. has exhibited serious gross negligence in their accounting and security practices. GitLab Inc. has not taken meaningful steps to address these serious accounting and security concerns raised by auditor KPMG. GitLab Inc. appointed a Chief Accounting Officer with a recent history of similar behaviors, who in her first several months in the role is actively recruiting employees who do not take finance or accounting seriously. GitLab Inc. has shared private customer information over the public internet. Meanwhile, GitLab Inc. positions themselves as a security solution for developers.
I do not believe GitLab Inc. is a serious business. I believe GitLab Inc. is a distributed adult day care center with negligent management. I believe GitLab Inc. has a history of blatant manipulation of revenue recognition and of cost of revenue, all to the detriment of shareholders.
I encourage all customers and shareholders to demand concrete answers from GitLab Inc. and their Board of Directors.
-Lauren Balik
________
This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. Lauren Balik does not represent the interests of any fund or of any investor other than herself. Past performance is not indicative of future results. This content speaks only as of the date published. Any projections, estimates, forecasts, targets, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others.