OpenVPN Audit Updates – News – And More!

Fundraising Is Going Well, Progress Is Fast!

We have had a lot of early success with our OpenVPN fundraiser, and the community response to the project has been tremendous with privacy advocates, VPN review sites, and VPN providers coming together to raise over $34,000 USD over the last two weeks. We think we are on track to meet our fundraising goals and get the audit process under way by January 1st 2017 as planned.

One of the common questions that we had on Reddit was about fundraising goals for how much we want to raise in order to meet our goals. Our response was vague because we were working on a large deal behind the scenes with a major IT company to secure some or even the majority of the funding through them alone. We were afraid of setting our goals too low and having the deal fall through, or setting the goal high and then lowering it when the deal went through. Either situation could be seen as misleading, and as a transparent organization we have attempted to stay as clear as possible to the public, while avoiding any possibilities for us to be seen in a bad light.

We regret to say that this deal with the major IT company has in fact fallen through. While this means that we have more fundraising to do, we can also be significantly more clear about how much money we need, who will be doing the audit, and how close we are to our goals.

The audit will be carried out by QuarksLab in Paris. Their exemplary job on a shoestring budget for the VeraCrypt audit has encouraged us to move forward with them on future projects. Fred, Jean-Baptiste, and Marion did fantastic work for us and we are looking forward to seeing what they can do on a full audit.

Our required budget for this project is estimated to be $71000 USD. This is due to the complexities of OpenVPN across many platforms, and the large number of dependencies. This places the current state of our fundraising at about 50% of our goal with just two weeks of fundraising under our belts! The support from the community has been strong and diverse, with donors from all over the world.

Healthy Competition: A VPN Provider Has Decided To Do It Alone.

What happened:

Two days ago, we learned about another effort to get OpenVPN 2.4 audited. We are thrilled to know that there are VPN companies that are willing to contribute significantly to the OpenVPN project. Unfortunately, this decision appears to have been made after OSTIF reached out to them for support multiple times, and the news came after two weeks of public fundraising had already been completed and a coalition of twenty VPN providers and dozens of other businesses had already been built.

They have made it clear that they have no intention to support the community effort, nor will their audit project collaborate with ours for the greater good.

What OSTIF management thinks about this effort: 

We do not know the circumstances that led up to their decision. We have reached out to them directly and through multiple parties to collaborate on this effort. The only response we have received was through a 3rd party, and that they do not intend to collaborate. We are confused as to their intentions with this effort, but the evidence leads us to believe that this is an effort to derail the community audit, and possibly take all of the credit for themselves for marketing purposes.

There is also very little information about their effort, its scope, and who is doing the audit beyond one person.

This effort appears to have been significantly rushed, with the OpenVPN staff learning of this new effort three days prior to this writing. We had been collaborating with OpenVPN Technologies and the community on this effort for over six months, and carefully planning the fundraising and timing for the project.

We also took significant steps to try to select auditors who are not from nations in the Five-Eyes Intelligence Alliance because the OpenVPN 2.x has major contributions from Fox-IT, whose parent company is NCC Group, which has close ties with the government of the United Kingdom. We wanted to avoid any situation where it could be viewed by the world that a five-eyes company was auditing an app with significant contributions from groups that are tied to that same company.

We strive for impartiality and transparency at all steps of the process.

What OSTIF intends to do moving forward:

The position of OSTIF, after having meetings with our managers and our board of trustees, is that we are going to continue fundraising with the community, and we will execute the audit as planned. If the other audit group changes their minds, and wishes to collaborate on the project for the greater good of the community, we are open to it at any time.

We will complete a thorough and full audit on a tight timetable and continue with our goals to complete audits of our supported applications and move them on to the next stages of support. Our goals are to create stronger security and privacy tools for all, even when faced with resistance from moneyed interests.

These audits will only make OpenVPN safer.