The Eclipse Foundation’s Equinox P2 was audited by Include Security in November 2022. Equinox P2 is a provisioning platform, started by IBM in 2001. The Eclipse Foundation was founded three years later to act as an open, non-for-profit leader of the Eclipse Project community. 

OSTIF was contacted by the Foundation, with funding from OpenSSF project Alpha-Omega, to perform a security audit and provide recommendations for security hardening. With Include Security, the audit resulted in a developed threat model, code review, and analysis of SAST and fuzzing.

The Include Security team followed a static code analysis with white-box code review methodology throughout the engagement. The result was one critical, three medium, and five low-risk findings. For the threat model, the focal point was on feasibly applicable threat actors to PGP-based signature verification. Everything else was considered out of the scope of the audit. In a methodical practice, Include created a threat model of the Target of Evaluation after a four step system. 

Over the 22 person days spent on the audit, Include Security also worked on SAST tooling and fuzzing for continuous monitoring. In the report, Include Security offers three security tools and recommendations of how fuzzing and SAST tooling could be reworked to best run on P2’s code. This would be mainly by adding rules to scanners to eliminate noise and false positives.


OSTIF would like to extend our gratitude to the Equinox P2 team and the Eclipse Foundation for their participation and partnership in this security audit, particularly Mikael Barbero and Marta Rybczynska. Thank you as well to those at Include Security, for their hard work and final report on this project. Finally, we would like to acknowledge and thank OpenSSF Project Alpha-Omega for their financial support of this critical security work. 

Read Include Security’s Audit of Equinox P2 here!

Read the Eclipse Foundation’s statement here!