Before you get started..
-
Before you get an audit, you should ideally do some preliminary checks yourself first. This saves time and money as we’d be doing that first anyway. Check our open source best security practices guide here on Github.
-
The costs of an audit varies but it’s typically tied to the complexity, man hours, and type of audit (e.g. is there complex cryptography involved? does it have lots of integrated parts? how much testing has already been done?). As initial audits could range anywhere from $30k to $200k, we have helped many projects raise funds and source sponsors to cover the entire costs or to split them.
-
An audit isn’t just a single process or service, it’s a relationship with auditors that leads to discoveries and improved processes now and in the future. This means recurring audits would ideally find fewer vulnerabilities, and future updates would be written more securely based on learned experience.
-
The most critical step of any audit is reaching out to talk to us about what you actually need and how we can help. Even if you don’t end up doing a full audit, we still want to hear from you and what you’re working on, give any advice we can, and help you find the resources you need.
How does it work?
01 Define Scope
OSTIF works with you to figure out what code needs auditing, what it’s supposed to do, and how that audit should be done. Then we select an appropriate audit team to tackle it. We choose the best team based on your needs for expertise, quality and cost.
02 Perform Audit
We champion your audit through consulting, liaising, and managing quality control every step of the way with the auditors. We focus on timeliness and accuracy while making sure you, your project manager, and the auditing professionals are all on the same page with clear expectations. At this stage we discover what needs to be fixed and help you understand how to fix it.
03 Discuss Results
We talk with you about priorities of what should be fixed and guide you on how to fix it in a way that auditors feel comfortable that it will remain secure.
04 Publish Report
After fixes are applied, we publish the report publicly so the whole open source ecosystem and especially your users can benefit from the knowledge that you not only care about their security and safety, but that your code is now professionally up to par.
Reach out to us!
Let’s have a discussion, we’d love to hear about your project.
Email with your local mail client