2025 marked the 10th year of OSTIF. This year, we published 24 audits, worked on behalf of almost 50 projects, and partnered with 10 different funding bodies to create security outcomes for open source projects. As a result, 231 findings with security impact have been reported and over 98% of those have been fixed, including all reported critical, high, or medium findings.
All and all, there’s been a lot to celebrate. We brought on a project manager, Tom Welter, to focus on honing our audit processes and the experience of projects working with us. To honor our anniversary, we hosted an in-person event as well as virtual to thank our friends, families, and partners who have supported us the past decade. In November, Managing Director Amir Montazery keynoted at KubeCon North America, speaking to thousands in the CNCF landscape about our Managed Audit Program and upcoming Kubernetes security audit release.
Building on the success of the decade behind us, our 2026 is booked and busy, but we always have space and time for open source collaborators. If you’d like to get involved with OSTIF, as a funder, project representative, or security auditor, reach out to us at [email protected].
We’re looking forward to building another decade of open source security together.
Derek, Amir, Tom, and Helen
PDF warning: 2025 Annual Report