The Open Source Technology Improvement Fund is proud to share the results of our security work on the BOLT binary scanner for LLVM. LLVM is an open source compiler for translating human-readable source code for machine-readable hardware. In 2024, Arm engineer Kristof Beyls developed a static binary analyzer on BOLT,…
AIxCC Competition Background & Results: In 2023, DARPA announced a two-year long competition called the Artificial Intelligence Cyber Challenge (AIxCC) with the goal to safeguard open source software used in critical infrastructure throughout America. The intent is to hasten the development of open source AI tooling that can assist developers…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of Paramiko. Paramiko is an open source Python implementation of the SSHv2 protocol designed for secure remote login and other secure network services. Thanks to the help of Quarkslab and Alpha-Omega, this project received…
The Open Source Technology Improvement Fund is proud to share the results of our security engagement on Developing ECH for OpenSSL (“DEfO”). DEfO is an open source implementation of Encrypted Client Hello (ECH) for OpenSSL, and provides proof-of-concept implementations for various clients and servers that use OpenSSL as a demonstration…
2025 Bug of the Year Award The Open Source Technology Improvement Fund is a non profit organization that specializes in security engagements for open source projects. We create bridges between the complex web of entities that are necessary to carry out a third party security audit. A cornerstone of that…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of Stork. Stork is an open source project developed by the Internet Systems Consortium (ISC) that acts as an administrative interface for monitoring, maintaining, and surveilling Kea servers. With the help of 7ASecurity, this…
For the past 4 years, OSTIF has run a Managed Audit Program for the CNCF. We’ve audited 33 projects in that time, working with maintainers all over the world to reinforce the security health of cloud native open source for billions of end users. Security audits are an effective, sustainable…
OSTIF is a proud participant in the Sovereign Tech Agency's Sovereign Tech Resilience Program. Outside of that work, we've also been funded to carried out ad hoc security engagements on critical open source software. Funding security solutions that are quantifiable, sustainable, and verifiable is an important part of the Sovereign…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of zlib. Zlib is an open source lossless data-compression library for use on virtually any computer hardware and operating system. Thanks to the efforts of 7ASecurity and the Sovereign Tech Resilience Program, this project underwent…
2025 marked the 10th year of OSTIF. This year, we published 24 audits, worked on behalf of almost 50 projects, and partnered with 10 different funding bodies to create security outcomes for open source projects. As a result, 231 findings with security impact have been reported and over 98% of…