The Open Source Technology Improvement Fund is proud to share the results of our security audit of Cortex. Cortex functions as a long-term, multi-tenant scalable open source storage for Prometheus and OpenTelemetry. Thanks to Quarkslab and the Cloud Native Computing Foundation (CNCF), Cortex received custom review and documentation for current and future security development.
Audit Process:
In early spring of 2026, two auditors from Quarkslab reviewed the overall security posture of Cortex using whitebox code review methods. First, they undertook a period of discovery, followed by studying the previously created threat model and alignment with project maintainers. Once an understanding of the project and its threat vectors was reached, the audit shifted to a period of code review with static analysis and finally dynamic testing. The focus of this work was around the security health of the tenant boundary and cluster operations. That means interrogating the confidentiality, integrity, and availability of those two functions.
Audit Results:
- 7 Findings with Security Impact
- 6 Medium
- 1 Low
- Custom Project Documentation
- Fix Recommendations
- Recommendations for Future Security Development
The report documents the positive impressions of the auditors as well as insights to the project’s strengths and overall risk areas. All seven findings identified by this work have undergone verified fixes, so update to the most recent release of the Cortex project to take advantage of the work performed by the maintainers and auditors in this engagement. If you would like to learn more about Cortex or contribute, see their website for more information.
Thank you to the individuals and groups that made this engagement possible:
- Cortex maintainers and community, especially: Daniel Blando
- Quarkslab, especially: Pauline Sauder
- Cloud Native Computing Foundation
You can read the Audit Report HERE
Read the Audit Fix Response HERE
Everyone around the world depends on open source software. If you’re interested in supporting this critical work, reach out to us!