Over the duration of multiple programs with funders, we’ve heard firsthand their needs. Executives know they have the budget and desire to fund security, but need help with how to start generating outcomes. To create and sustain open source security programs requires dedicated administration work, experience with the open source community, knowledge of open source maintainer dynamics, a pool of experts who understand the needs of open source maintainers, quality assurance, and project participation. That’s a large amount of work and cost to add to a foundation’s budget.
Partnering with OSTIF, you get all of the above included in the cost of the audit. The program is run for you by a nonprofit with ten years of experience and over a hundred audits published. Not to mention the marketing/PR associated with publication, and potential for community building through OSTIF meetups and conference talks.
While identifying your needs for an audit program is one task, fulfilling them is another. Feedback from industry partners who have joined OSTIF suggest that self-ran engagements in the past have not always gone as planned due to the lack of support and the sheer amount of labor required to start and complete the audit process. Administrative support of the project requires navigating banking, invoicing, contracts, and those tasks require experienced costly labor. Administrative support should ideally be experienced in working with the open source community as well as the corporate and government shareholders, which is a niche circumstance. Furthermore, the program will need to be monitored continuously for the quality of deliverables and of the engagement itself, all while remaining within budget.
OSTIF is designed to fill this role by supporting and answering to the needs of the funder while providing a high-quality deliverable that positively impacts the security health of the open source community. Results are captured, documented, and then resolved in coordination with the project and audit team to generate timely fixes.
OSTIF has been molded and shaped over the years to what it is today, a glue between funders and open source projects. That glue has to have very specific functionality and be able to create deliverables within budget and timeline restrictions, while balancing several stakeholders’ investments each with different directives and endgames. Our ‘brand’ of glue is a non-profit independent third party that creates a natural buffer and is in a neutral position with no profit or gain beyond executing security research that results in publicly available information that helps the ecosystem as a whole harden and improve security.
Our Programs:
Sovereign Tech Agency
Berlin, Germany
Sovereign Tech Agency, via its Bug Resilience Program, funds security audits through OSTIF for critical open source technologies.
Approximate Total Funding in 2023 and 2024: $777,000
Projects include Ruby on Rails, Conda-Forge, logback, curl, Jackson-dataformats and Jackson-datatypes, log4CXX, and log4net.
Linux Foundation
San Francisco, California, USA
Linux Foundation, namely via the Cloud Native Computing Foundation and OpenSSF, funds OSTIF for audit programs and individual audits of key projects
Approximate Funding Per Year: $500,000
Projects include OpenSSL (funded by OpenSSF/Project Alpha-Omega), Kubernetes (CNCF), git, and many others.
Amazon Web Services
Seattle, Washington, USA
Amazon Web Services funded an audit program of 10 Security Audits for key projects in 2022-2023.
Average Cost Per Audit: $74,000
Projects include Apache Commons, bref, and boost
19 Critical and High Vulnerabilities Found and Fixed.
How to get involved with OSTIF:
If you like what we do- and you should, because you benefit from it!- you can support OSTIF in a couple of ways.
Direct Funding– Support OSTIF’s mission directly with financial support!
Organizations donating directly to OSITF are supporting us by enabling our work to continue year-round, helping us fund cost-of-living raises and healthcare for our employees, and managing our administrative overhead costs like digital storage, software subscriptions, and conference travel expenses.
Security Funding– Engage us to manage security work on a project you’re passionate about!
If there is a project you use or support, help them further by contributing funding for an audit or other security engagement through OSTIF. Our process keeps costs low, while ensuring a high level of quality work, and there are multiple options to keep within your budget while maximizing security possibilities.
Join our Community– Participate at OSTIF meetups or contribute to our documentation on GitHub. Alternatively, reach out to see how we could use your expertise to help the open source ecosystem!
Open source exists because of community efforts. Participation in our meetups, supporting our work at conferences, or educating yourself on our body of work helps spread our message of putting open source projects first in security work.