The Open Source Technology Improvement Fund is proud to share the results of our security engagement on Developing ECH for OpenSSL (“DEfO”). DEfO is an open source implementation of Encrypted Client Hello (ECH) for OpenSSL, and provides proof-of-concept implementations for various clients and servers that use OpenSSL as a demonstration…
OSTIF is a proud participant in the Sovereign Tech Agency's Sovereign Tech Resilience Program. Outside of that work, we've also been funded to carried out ad hoc security engagements on critical open source software. Funding security solutions that are quantifiable, sustainable, and verifiable is an important part of the Sovereign…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of zlib. Zlib is an open source lossless data-compression library for use on virtually any computer hardware and operating system. Thanks to the efforts of 7ASecurity and the Sovereign Tech Resilience Program, this project underwent…
2025 marked the 10th year of OSTIF. This year, we published 24 audits, worked on behalf of almost 50 projects, and partnered with 10 different funding bodies to create security outcomes for open source projects. As a result, 231 findings with security impact have been reported and over 98% of…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of GNU libmicrohttpd2. GNU libmicrohttpd2 is an open source library that “embeds a HTTP or HTTPS daemon into host applications.”* With the help of ADA Logics and the Sovereign Tech Agency, this project has…
Over the duration of multiple programs with funders, we’ve heard firsthand their needs. Executives know they have the budget and desire to fund security, but need help with how to start generating outcomes. To create and sustain open source security programs requires dedicated administration work, experience with the open source…
The open source community has been abuzz for the past two years about European governance in open source software. From casual meetups to professional conferences, the implication of government funding and regulation of the free-use software sector has resulted in heavily debated discourse around the legal, financial, societal, and functional…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of conda-forge. conda-forge is a community-driven open source repository of conda package manager recipes. With the help of 7ASecurity and the Sovereign Tech Agency, this project has invested in its longevity and security health…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of Ruby on Rails. Ruby on Rails (or “Rails”) is an open source full stack web-application framework. Thanks to the help of X41 D-Sec, GitLab, and the Sovereign Tech Agency, Rails can provide more…
The Open Source Technology Improvement Fund is proud to share the results of our security audits of Apache Log4Net and Log4CXX. Log4CXX is an open source logging framework library for C++, and Log4Net is a library to output log statements to various targets. With the help of Ada Logics and…