The audit of VeraCrypt has been completed, and the final report is being created over the coming days. The VeraCrypt developers have the preliminary results and we are working with both VeraCrypt and QuarksLab on the timetable for releasing results.
Why aren’t results released immediately?
In order to ensure that the public is as safe as possible, public release of the audit information is not released until the developers of the software are confident that all bugs are fixed. This delay is to ensure that an updated version of the software is available simultaneously with the release of the audit results.
It is also OSTIF policy that we do not handle “zero day” vulnerability information. This both releases us from liability if a zero day were to go public, and allows developers and donors to trust that we are not misusing or selling vulnerability information. The primary purpose of these audits is to improve the security software, and our policies reflect that.
We are working closely with QuarksLab and VeraCrypt to ensure that as soon as VeraCrypt is ready, we will simultaneously release the results of the audit on all three of our websites.
Check this site for updates!