Our Story

OSTIF was an idea born out of Derek Zimmer’s reaction to the Heartbleed leak. In 2015 Zimmer worked at VikingVPN, a privacy and security focused VPN he co-founded, and was motivated to move into the infosec and privacy sector out of a desire to support and advocate for open source software and secure by design computing. He worked nights and weekends on a small non-profit that would advocate and source security work for open source projects, and when the work became too much for one person, Zimmer reached out to his friend Amir Montazery to join him.

Montazery, who came from a background in auditing at the Federal Reserve, worked with Zimmer as the two began to build connections in the industry; attending and speaking at conferences (in full suits which were derided by the tee-shirt clad techies in the audience), making partnerships with auditing firms, and learning the ropes of security auditing as they went. While the first 5 years of auditing were slow, the two built up relationships with foundations, corporations, projects, people, and auditing firms that would make their 2022 output possible. Exploding from 3-4 audits the years before to 24, OSTIF increased their production by 300% and brought on their first full-time hire, Helen Woeste. Zimmer and Montazery, too, moved from weekend warriors to full time staff at OSTIF. 

Since then, the trio have maintained output of at least 20 projects audited a year, attended multiple international conferences, and had their work presented all over the world as an example of what external and internal resources can do when properly pooled and managed to create actual security impact on open source. 

Over the past ten years, OSTIF has been responsible for the finding of over 800 vulnerabilities, (121 of those being Critical/High), over 13,000 hours of security work, and millions of dollars raised for open source security. Maximizing output and security outcomes while minimizing labor and cost for projects and funders has resulted in partnerships with multi-billion dollar companies, top open source foundations, government organizations, and respected individuals in the space. Most importantly, we’ve helped over 150 projects improve their security. Right now, as you read this, we are working to keep growing that number. Hopefully, you’ll join us in advocating for and funding open source security work pivotal to our digital world.

Derek Zimmer – President and Executive Director

Derek is a privacy activist, hacker and mathematician. He started his first business in 2000, selling hand-designed PCs to gamers, engineers, and businesses. In 2012 Derek helped found VikingVPN, a VPN service focused on speed, security, and privacy in response to the increasing problems with surveillance on the internet by marketing entities. The May 2013 disclosures by Edward Snowden motivated him to work in the privacy and infosec full-time, and to focus his work on countermeasures against advanced persistent threats.

He has personally funded the entirety of the startup costs for OSTIF. He believes in the merits of the open source movement and wants to design systems to help open source infrastructure to thrive. The ultimate goal of OSTIF is to help open source software and hardware to be a trusted de-facto standard for computing.

In his free time, Derek enjoys nature, relaxing on a nice patio, reading, cooking, dining at new restaurants, travel, art, music, movies, theater and all forms of digital entertainment.

Amir Montazery – Managing Director

Amir Montazery is the Managing Director and Cofounder of Open Source Technology Improvement Fund, Inc (OSTIF). Amir comes from a background in Finance, IT and Internal Auditing, applying years of experience to help develop OSTIF’s processes and partnerships. Furthermore, Amir is responsible for negotiating and organizing over 12,000 hours of security-focused work for organizations like Google and Amazon Web Services along with groups like Mozilla Foundation and Open Source Security Foundation (OpenSSF).

Helen Woeste – Project Facilitation and Communications Manager

Helen is a Hoosier who spent her youth in West Lafayette and then Bloomington, Indiana, spending time in the latter earning her undergraduate degree in History from Indiana University. A month after graduation she moved to Chicago where she worked in hospitality and food service management, running a variety of enterprises from bakeries to high-end restaurants to a pasta food truck. In 2023, she transitioned into open source by accepting a position with OSTIF. She is grateful for the opportunity to work with a global community that prioritizes sharing free knowledge for the greater good. In her free time she enjoys developing recipes, reading non-fiction books, and long walks by Lake Michigan.

Why Open Source?

OSTIF works almost exclusively with open source projects. This is because we believe that more security resources are needed in the open source ecosystem then what currently exists. Open source is a part of our life that is utilized by everyone, by users and companies, but rarely supported equally or even acknowledged. The complex systems that govern and fund the open source ecosystem are incredibly and increasingly difficult to navigate.

Open source as infrastructure: Open source projects are part of banking, energy, the internet, cars, payment systems- just to name a few. While the definition of what is infrastructure is variable and defined at a moment in time, there are a lot of open source projects, big and small, that underpin our digital world and whose exploitation or deterioration would result in devastation and chaos.

Underfunded: Maintainers are often unpaid and under-supported. Even projects that are used and supported to a certain extent by governments, companies, or foundations, are expected to provide free labor as a part of their role in the project. Our work is designed to be as lightweight as possible on maintainers while providing them the opportunity to help design an engagement that works best for them personally as well as for the project. OSTIF has, and continues to, advocate for the payment of maintainers for their work securing projects, paying out thousands of dollars to eligible maintainers who participate in security work.

Advocacy: OSTIF is one of the top fundraising organizations specifically dedicated to open source security. Working directly with funders, projects, and audit providers grants us unique insight to the functions of open source on macro and micro levels. We are able to take our experiences and testimony to shareholders and create connections where there previously were none.

Under-supported: While proprietary organizations receive guidelines and governance from governments and corporate structure, open source is self-governing. Communities are responsible for organizing, supplying, and endowing themselves, which makes for complex social and organizational relationships and structures that can be difficult to interact with as an outside party. OSTIF’s role as a third party in open source is challenging, and we’ve learned a lot the hard way, but it’s also meant we discovered how to work across and with multiple factions and groups to create shared, positive outcomes and experiences. We remain distinctive and uncommon for this reason.

Advisory Council

Our advisory council is a group of volunteers who offer advice in their fields of expertise to OSTIF. Their experience and wide field of knowledge help us manage our organization, problem solve, and advance our goals. These volunteers get monthly updates of OSTIF activity and offer their advice and opinions for management to consider when big decisions are being made about the organizations direction or actions.

Each advisory council member is listed below, showing their name and field of expertise or other organizations that they are members of that bring relevant experience to the council.