The Open Source Technology Improvement Fund is proud to share the results of our security audit of MaterialX. MaterialX is an open source project hosted at the Academy Software Foundation for “representing rich material and look-development content in computer graphics, enabling its platform-independent description and exchange across applications and renderers,” (materialx.org). With the help of Shielder and Academy Software Foundation, this project will continue to be a fundamental and securely designed part of the computer graphics model necessary for movie magic.
Audit Process:
The engagement took place in January 2025, taking three engineers eight person days to complete the audit work. The process included creating a threat model, performing manual review and automated analysis, reviewing dependencies, release process review, and inspecting fuzzing coverage. The goals of this work were to gain a general sense of the current security posture of MaterialX, and to then improve and offer recommendations for hardening the security of this software.
Audit Results:
- 7 Findings with Security Impact
- Improved Fuzzing Coverage
- Improved Release Processes
- Future Security Work Recommendations
MaterialX software is used by many firms involved in movie and game VFX, animation, and film. Specific programs include Pixar RenderMan, Unreal Engine, the Autodesk suite, the Apple VisionPro, and NVIDIA Omniverse. In short, companies developing cutting-edge animation and CGI for billion dollar industries. It’s important to them that the open source projects they use are able to resist and repel exploitation and be as clean from vulnerabilities as possible. This audit work was feasible due to the contributions of MaterialX maintainers, who responded to the report by resolving all current findings able to be released.
Thank you to the individuals and groups that made this engagement possible:
- MaterialX maintainers and community, especially: Jonathan Stone
- Shielder: Abdel Adim Oisfi, Davide Silvetti, Nicolò Daprelà, and Pietro Tirenna
- Academy Software Foundation
You can read the Audit Report HERE
You can read Shielder’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].
OSTIF is celebrating our 10 year anniversary! Join us for a meetup about our work, lessons learned, and where we see the future of open source security going by following our meetup calendar https://lu.ma/ostif-meetups