The Open Source Technology Improvement Fund is proud to share the results of our security audit of Kubeflow. Kubeflow functions for building and deploying customizable machine learning workflows in Kubernetes, and has many subprojects able to be implemented individually or in combination. Thanks to ADA Logics and the Cloud Native Computing Foundation, Kubeflow underwent a custom security engagement that audited 6 projects in the Kubeflow ecosystem.
Audit Process:
In late summer of 2025, two security engineers from ADA Logics performed a holistic review of a selection of projects in the Kubeflow ecosystem: Katib, Trainer, Spark Operator, Notebooks, Model Registry, and Pipelines. These audits included CI testing, fuzzing work, thread modeling, code review, and supply chain security review for each of the projects. Read more about each project’s results in the audit report linked below.
Audit Results:
- 14 Findings with Security Impact
- 3 Critical
- 7 Moderate
- 2 Low
- 2 Informational
- OpenSSF Scorecard assessments of all 6 projects
- Custom threat modelling documentation for all 6 projects
- Fuzzing implemented for 4 projects: Katib, Pipeline, Spark Operator, and Model Registry
- Custom documentation of the audit scope, discovery, and findings with security impact.
Kubeflow maintainers and community worked to resolve and address the issues reported during this engagement. To take advantage of the work done, update to the most recent release of Kubeflow.
As machine learning rapidly advances and changes the open source environment, engagements that holistically engage with projects in Artificial Intelligence (AI) are important to the ecosystem. They create documentation about the security implications of a project at a given time in order to help maintainers with future development as well as educate users on safe and best practices in the code they are utilizing in AI.
Thank you to the individuals and groups that made this engagement possible:
- Kubeflow maintainers and community, especially: Julius Von Kojout, Matthew Wicks, Francisco Arceo, Humair Kahn, Jeff Spahr, Andy Stoneberg, and Andrey Velichkevich
- ADA Logics: Adam Korczynski and David Korczynski
- Cloud Native Computing Foundation
You can read the Audit Report HERE
Everyone around the world depends on open source software. If you’re interested in supporting this critical work, reach out to us!