BADHOST OSTIF is disclosing the expanded details of the BadHost vulnerability in Starlette as slow uptake of updated versions of Starlette and discovery of more vulnerable live services has caused us serious concerns. I’d like to open by saying that the maintainer of Starlette is having a bad few weeks.…
2025 marked the 10th year of OSTIF. This year, we published 24 audits, worked on behalf of almost 50 projects, and partnered with 10 different funding bodies to create security outcomes for open source projects. As a result, 231 findings with security impact have been reported and over 98% of…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of CRI-O. CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI) that is OCI-compliant (-O) that provides the backend between OCI-format container images and the Kubernetes control plane. With the help of…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of Ruby on Rails. Ruby on Rails (or “Rails”) is an open source full stack web-application framework. Thanks to the help of X41 D-Sec, GitLab, and the Sovereign Tech Agency, Rails can provide more…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of RSTUF. RSTUF is an open source implementation of the server components necessary for users to create a secure repository for downloading files from TUF (The Update Framework). Thanks to the help of X41…
OSTIF is proud to share the results of our security audit of Hickory DNS. Hickory DNS is an open source Rust based DNS client, server, and resolver. With the help of X41 D-Sec and Prossimo, this project can continue to provide users with a safe and secure DNS server and…
2024 was the 9th year of OSTIF, and what an exciting and groundbreaking year it was! Our annual report for 2024 starts with the OSTIF story then moves onto our impact, function, partnerships, funding, and future. We didn’t mince words here- it’s a quick read of less than five minutes.…
OSTIF is proud to share the results of our security audit of Backstage. Backstage is an open source framework for developer portals. With the help of X41D-Sec and the Cloud Native Computing Foundation (CNCF), this project can continue to provide quick and secure development environments. Audit Process: This audit was…
OSTIF is pleased to announce the completion of a security audit of the open source project RustVMM in collaboration with X-41 D-Sec GmbH, with funding by Amazon Web Services. The project offers crates to build customized Virtual Machine Monitors (thus, VMM), which can be vulnerable to malicious actors through its…
OSTIF and X41-Dsec collaborated with OpenSearch on a security audit on v. 2.8.0 of the open source search engine. As a search engine, this project handles sensitive data and therefore security is of utmost importance to project users, maintainers, and community. The main objective of this security audit was to…