The Open Source Technology Improvement Fund is proud to share the results of our security audit of OpenEXR, a project at the Academy Software Foundation. OpenEXR is an open source specification and reference implementation of the EXR file format, which “accurately and efficiently represents high-dynamic-range scene-linear image data,” (https://openexr.com/en/latest/). With the help of Shielder and Academy Software Foundation, this project will continue to be a high-functioning, widely-used software for those needing accurate and catholic use cases.
Audit Process:
This work took place in January 2025, lasting three engineers twelve person days of audit work. The intention of the audit was to understand the function and therefore the security posture of the project and to use that knowledge to provide recommendations for future work and find vulnerabilities in the code. To perform that undertaking, the audit team conducted a threat modelling exercise, manual review, automated testing, review of dependencies, and fuzzing analysis.
Audit Results:
- 4 Findings with Security Impact
- 1 Critical
- 1 Medium
- 2 Low
- Fuzzing improvements, increasing coverage
- Release process improvements
- Future Security Work recommendations
The OpenEXR file-format is used by many enterprises and professional software in the VFX, animation, and film industries, namely: Pixar RenderMan, Unreal Engine, the Autodesk suite, the Apple VisionPro, and NVIDIA Omniverse. Security of the work being performed with OpenEXR is of utmost importance to the multi-billion dollar companies making content with it. All of the reported findings from this audit have been resolved, so if you are a user please update to the latest release to take advantage of the work performed by the audit team and the maintainers.
Thank you to the individuals and groups that made this engagement possible:
- OpenEXR maintainers and community, especially: Cary Phillips and Kimball Thurston
- Shielder: Abdel Adim Oisfi, Davide Silvetti, Nicolò Daprelà, and Pietro Tirenna
- Academy Software Foundation
You can read the Audit Report HERE
You can read Shielder’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].
OSTIF is celebrating our 10 year anniversary! Join us for a meetup about our work, lessons learned, and where we see the future of open source security going by following our meetup calendar https://lu.ma/ostif-meetups