The Open Source Technology Improvement Fund is proud to share the results of our security audit of RSTUF. RSTUF is an open source implementation of the server components necessary for users to create a secure repository for downloading files from TUF (The Update Framework). Thanks to the help of X41 D-Sec GmbH and the OpenSSF, this project will continue to develop and grow as a security-focused repository.
Audit Process:
This audit work took place over 22 person days at the beginning of 2025. Using whitebox pentest methods, the team at X41 D-Sec first created a thread model of RSTUF in order to determine the areas of focus for the manual code review aided by static code analyzers. Included in the scope of this audit were the three submodules under the RSTUF umbrella repository and their respective documentation, which was also reviewed and the results of which are included in the informational notes of the audit report.
Audit Results:
- 13 informational findings
- No results with a CVSS score
- All reported findings are recommended to be fixed in order to harden the security health of RSTUF
- Custom threat model
- Recommendations for future security work
The audit team at X41 D-Sec notes that the security of RSTUF is above average for a project in beta stage and that praise highlights the mindful development of this project. This audit was a part of RSTUF’s journey towards releasing a primary stable version of the project. The team at RSTUF has begun the work of mitigating and implementing the reported findings to improve the overall security health and durability of the project through development of documentation and baseline security defaults. OSTIF would like to thank the team at RSTUF for their participation and efforts towards this audit.
Thank you to the individuals and groups that made this engagement possible:
- RSTUF maintainers and community
- X41 D-Sec: Ali Basma, Markus Vervier, Eric Sesterhenn, and Antonela Conti
- The OpenSSF
You can read the Audit Report HERE
You can read RSTUF’s Blog HERE
You can read X41 D-Sec’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].