Bug of the Year Award 2025

2025 Bug of the Year Award

The Open Source Technology Improvement Fund is a non profit organization that specializes in security engagements for open source projects. We create bridges between the complex web of entities that are necessary to carry out a third party security audit. A cornerstone of that work is the selection of an audit team for a given project based on a work proposal, employee expertise, and relevant experience. We find educated, skilled security auditors that are highly detailed and efficient workers who enjoy challenging expectations. Individual security engineers who work for security firms do similar work to bug bounty hunters, but do not get direct credit or bounty payouts. Their efforts are absorbed into a whole (the audit report), which gets published in accordance with OSTIF’s transparency requirements, and then audit firms are compensated for their work. 

While reflecting on our past 10 years, we revisited vulnerabilities discovered during OSTIF audits. As a result of our work, several hundred bugs a year are discovered on average. Audit reports are dense and often long, making it difficult for the casual reader to find and grasp the consequences of the bugs, and with the nature of our work we often have to pivot focus to other engagements once an audit report is released. With that in mind, our Executive Director proposed a new program: a Bug of the Year trophy, given to the individual who finds the best bug published by OSTIF in a calendar year.

When considering what makes a bug the “best”, it felt important to factor in things beyond just severity ranking, things like criticality and popularity of the project, its respective industry and impact, as well as the difficulty of the threat plane. OSTIF’s Directors individually reviewed the 16 Critical and High findings from our 2025 audit releases, then made a list of their top three. The top issues were then evaluated against each other, using the characteristics listed above to further distinguish them before a final decision was made.

 

Honorable Mentions

 

Finding: ROR-CR-23-01 Potential Remote Code Execution in image_processing Gem 

Audit: Ruby on Rails

Team: X41D-Sec

Details: If a vulnerable Rails app exposes the type of transformations to be applied to an image to a remote attacker, they may execute arbitrary commands in the context of the Rails app. This finding had been reported previously and issued a CVE number- CVE-2022-24720- but did not receive a verified fix at the time, resulting in its second reporting. If exploited, the vulnerability would have had a wide impact on the ecosystem. 

 

Finding: CVE-2024-8929 Leak partial content of the heap through heap buffer over-read in mysqlnd

Audit: PHP

Team: Quarkslab

Details: A hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server. Considering PHP’s wide adoption and usage, as well as the similarity to past breaches, made this finding more pressing and impactful with the implications of exploitation and fall-out. 

 

 

Winner

Finding: CVE-2025-31484 Conda-Forge Channel Access Token Leakage

Audit: conda-forge 

Team: 7ASecurity

Found by Szymon Grzybowski

Details: Any feedstock maintainer could upload a package to the conda-forge channel, bypassing our feedstock-token and upload process. The wide impact, especially with implications in the project’s use by AI, as well as the supply chain issue it created, resulted in a critical ranking and CVSS score of 9.7.

The conda-forge bug itself was not technically complex. I discovered it mainly because I try to look at each piece of software I analyze as a whole. So basically, not only the main code and the repository, but also the runtime environment, the surrounding ecosystem, and the entire CI/CD pipeline. Even if the software itself is well designed and developed, there are always many moving parts. As this case shows, a small mistake during deployment can lead to potentially serious consequences. Developing and deploying software is hard. In my opinion, finding bugs is much easier than development, deployment, and maintenance. For that reason, hats off to the conda-forge team for how they handled the vulnerability. It was impressive to see how quickly the team analyzed the issue, deployed mitigations, and handled communication about the incident.”

-Szymon Gryzbowski

These findings, if left in their respective projects, could have caused millions of dollars of direct damage to the software, not to mention the indirect costs absorbed by dependencies and down-stream users when a bug is exploited. They were found and resolved because security audits are not just a deliverable, but a repeatable best practice that supports maintainers and code through the process of rigorous security work. Working directly with maintainers enables safe disclosure practices are followed, accurate proof is shared, and a fix is underway as soon as possible. OSTIF has over 160 audits’ worth of experience contacting, communicating, and collaborating with open source maintainers and we understand their anxieties, processes, and needs while their project undergoes an audit. Our focus and priority is on a lightweight experience for maintainers, allowing them to focus on their day-to-day while remaining accountable to the project’s security development via an audit. Choosing audit teams who not only agree to work with open source but understand the unwritten needs of the community on top of their security expertise is what sets us apart from other firms doing the same audit processes. Engagements run by OSTIF concentrate on helping a project holistically by fixing issues and classes of bugs in addition to providing open source tooling solutions for long-term security feedback. 

“From a security assessment perspective, I have been involved in several OSTIF projects in 2025, and I really enjoy working on them. Unlike commercial security assessments, which unfortunately take most of my time, I find OSTIF projects more impactful, more researcher-friendly, and often more challenging.”

– Szymon Grzybowski

These three audits were possible because of funders who prioritized putting money directly towards security outcomes. OSTIF’s capability to design security engagements for unique and pivotal digital infrastructure is directly related to the amount of money we are able to raise. You can help us bring real solutions to open source by funding OSTIF directly to do more audits and associated security work. If you are a project maintainer, reach out and tell us your needs and security goals, we’re always looking for opportunities to point resources towards. 

The OSTIF team would like to thank everyone who made 2025 possible- all funders, projects, audit teams, and programs that have supported us over the past 10 years built in us a mechanism to effect real security change for an under-resourced, key part of our digital world. Our gratitude to: 

  • all our audit teams and researchers who contributed to finding and resolving vulnerabilities or security findings on behalf of OSTIF.
  • all open source projects and the humans making them possible, especially maintainers and community members.
  • all of the funding bodies who have honored us with their trust and money to create security outcomes for their belief in our mission and abilities.

Check out our 2025 annual report to learn more about OSTIF’s 10th year, the other audits and vulnerabilities up for this award, and what sets the organization apart in the cybersecurity space.

Tags: , , , ,