Our Mission

We enhance the worlds security software by providing crucial support and resources to major and noteworthy open-source projects.

The Open Source Technology Improvement Fund is dedicated to resourcing and managing security engagements for open source software through partnerships with corporate, government, and non-profit donors. We bridge the gap between resources and security outcomes, while supporting and championing the open source community whose efforts underpin our digital landscape.

Who We Are

Meet OSTIF’s staff and Advisory Council

Annual Reports

2024

2023

2022

Stats

20,000 hours of security work

800 vulnerabilities identified

66 CVEs

500+ tools added to projects

100+ projects audited

$3,000,000+ dollars raised for security

Our Story

OSTIF was an idea born out of Derek Zimmer’s reaction to the Heartbleed leak. In 2015 Zimmer worked at VikingVPN, a privacy and security focused VPN he co-founded, and was motivated to move into the infosec and privacy sector out of a desire to support and advocate for open source software and secure by design computing. He worked nights and weekends on a small non-profit that would advocate and source security work for open source projects, and when the work became too much for one person, Zimmer reached out to his friend Amir Montazery to join him.

Montazery, who came from a background in auditing at the Federal Reserve, worked with Zimmer as the two began to build connections in the industry; attending and speaking at conferences (in full suits which were derided by the tee-shirt clad techies in the audience), making partnerships with auditing firms, and learning the ropes of security auditing as they went. While the first 5 years of auditing were slow, the two built up relationships with foundations, corporations, projects, people, and auditing firms that would make their 2022 output possible. Exploding from 3-4 audits the years before to 24, OSTIF increased their production by 300% and brought on their first full-time hire, Helen Woeste. Zimmer and Montazery, too, moved from weekend warriors to full time staff at OSTIF. 

Since then, the trio have maintained output of at least 20 projects audited a year, attended multiple international conferences, and had their work presented all over the world as an example of what external and internal resources can do when properly pooled and managed to create actual security impact on open source. 

Over the past ten years, OSTIF has been responsible for the finding of over 800 vulnerabilities, (121 of those being Critical/High), over 13,000 hours of security work, and millions of dollars raised for open source security. Maximizing output and security outcomes while minimizing labor and cost for projects and funders has resulted in partnerships with multi-billion dollar companies, top open source foundations, government organizations, and respected individuals in the space. Most importantly, we’ve helped over 150 projects improve their security. Right now, as you read this, we are working to keep growing that number. Hopefully, you’ll join us in advocating for and funding open source security work pivotal to our digital world.

Why Open Source?

OSTIF works almost exclusively with open source projects. This is because we believe that more security resources are needed in the open source ecosystem then what currently exists. Open source is a part of our life that is utilized by everyone, by users and companies, but rarely supported equally or even acknowledged. The complex systems that govern and fund the open source ecosystem are incredibly and increasingly difficult to navigate.

Open source as infrastructure: Open source projects are part of banking, energy, the internet, cars, payment systems- just to name a few. While the definition of what is infrastructure is variable and defined at a moment in time, there are a lot of open source projects, big and small, that underpin our digital world and whose exploitation or deterioration would result in devastation and chaos.

Underfunded: Maintainers are often unpaid and under-supported. Even projects that are used and supported to a certain extent by governments, companies, or foundations, are expected to provide free labor as a part of their role in the project. Our work is designed to be as lightweight as possible on maintainers while providing them the opportunity to help design an engagement that works best for them personally as well as for the project. OSTIF has, and continues to, advocate for the payment of maintainers for their work securing projects, paying out thousands of dollars to eligible maintainers who participate in security work. 

Advocacy: OSTIF is one of the top fundraising organizations specifically dedicated to open source security. Working directly with funders, projects, and audit providers grants us unique insight to the functions of open source on macro and micro levels. We are able to take our experiences and testimony to shareholders and create connections where there previously were none. 

Under-supported: While proprietary organizations receive guidelines and governance from governments and corporate structure, open source is self-governing. Communities are responsible for organizing, supplying, and endowing themselves, which makes for complex social and organizational relationships and structures that can be difficult to interact with as an outside party. OSTIF’s role as a third party in open source is challenging, and we’ve learned a lot the hard way, but it’s also meant we discovered how to work across and with multiple factions and groups to create shared, positive outcomes and experiences. We remain distinctive and uncommon for this reason.