OSTIF in 2018 – Our Plans for the Future

2017 was a wild ride, with OSTIF raising roughly double the funds that we did the year prior. We’ve learned a lot along the way, and are working hard to get even more done in 2018. These plans include widening support to more apps, building stronger relationships with our existing supported apps, better messaging and outreach to donors, and getting our first “Gold” certified apps that have completed all three phases of OSTIF support (audit, bounties, research funding).

Widening Support – More Open-Source Apps We Can Trust

We are currently seeking to expand relationships to new projects in key areas of computing. Our strategy is to create a full “suite” of trusted apps that will allow a user to get through their day-to-day activity on safe, reliable, and trustworthy open source software. If you have an opinion on any of these projects we would love to hear from you on why one project should be selected over another. We value the input of the community and consider any and all comments from the public and our supporters.

We need a web server – We are currently deciding between Apache and Nginx. While Apache has larger marketshare, Nginx is less resource hungry and has strong performance.

We need a content management system – We are currently deciding between WordPress and Joomla. WordPress has an overwhelming amount of marketshare, but also significant in-house support through Automattic and a less-than-perfect open source policy. Joomla is more open, but a much smaller project.

We need a reliable open-source router OS – We are currently deciding between DD-WRT and Tomato. DD-WRT is a larger project with a larger base of installed users, however, it is fragmented over many versions which makes reliable auditing difficult. The Shibby-Tomato project is smaller, supports less router hardware, and is basically a one man show for development, but is generally easier to use.

We need a trustworthy BIOS / EFI system – We are currently deciding between the Coreboot and Libreboot projects. Coreboot has virtualization support, while Libreboot has wider hardware support. We also want to fund additional research into breaking Intel Management Engine and the AMD Platform Security Processor that add unsafe and untrustworthy software to all BIOS/EFI implementations on newer computers.

We need a trustworthy Media Player – This will almost certainly be VLC Media Player. This is due to their massive install base, ease of use, performance, their commitment to remaining open-source, cost free, and ad-free, and their long standing track record.

We need an open-source Office SuiteOpenOffice and LibreOffice are prime candidates for this. We need to do more research into both projects before making a decision.

We need a database serverMySQL is the prime candidate here, but MongoDB, MariaDB and others are also being considered.

This will expand OSTIF’s list of supported apps from the current five projects to twelve, significantly increasing our impact on the open-source community.

Messaging and Outreach to Donors

OSTIF will be increasing the ways that people can participate in the community and get involved. Since the organization was created, our greatest challenge has been developing contacts in the community and spreading our messaging. Over 90% of our manager’s time is spent on developing contacts and fundraising, and our limiting factors are time and word of mouth.

We have been considering ways that the community can help the project move forward. Our largest corporate sponsors have come from organic outreach. Someone who supported our cause suggested us to the right person in the right position at the right company. We want to maximize the way that the community can help us reach the right people.

To help us organize with the community to seek donors, we have created /r/ostifoutreach on Reddit. This subreddit will allow us to directly name companies that we are trying to reach, and if someone knows a relevant contact at that company, they can either contact the person to let them know we’d like to reach them, or share that contact with us so that we can reach out ourselves.

We also plan to increase our presence on Twitter through @ostifofficial. We will continue to offer significant security news, updates on OSTIF activity, and the occasional public praise, criticism or ridicule on tech-related topics.

We are considering live-stream sessions where people can interact with us directly to talk about security, strategy, current fundraisers, or whatever meandering off-topic thing the community wants to know.

And finally, we are considering a more formalized public comment system, where major policy choices can be formally posted for comment in the form of RFCs. This will allow us to organize community responses and understand what you want from us. We think this will be necessary as we grow to a size where the CEO can’t personally respond to every single comment.

Gold Certified Apps

With the OpenVPN and VeraCrypt projects completing their audits and having active bug bounties, they are well on their way to “Gold” certification, which is when OSTIF certifies the project as having met our requirements by going through an audit, 6 months of no new serious security problems while a $5000 bug bounty is active, and OSTIF has sponsored at least one research and development grant to make the software stronger or easier to use. We expect both projects to meet the standards for gold certification by the end of 2018.


With all of the progress we’ve made and how far we’ve come, it all falls apart without the community. We need your participation whether it is to donate, subscribe to /r/ostifoutreach , follow us on Twitter, tell your friends and colleagues about us, comment to us about the direction of the organization or our supported apps, or audit our supported software and collect your bug bounty! We all need to participate to get over these challenges and make the free software world better.