OSTIF started performing security audits in earnest in 2018, tackling a new level of involvement open source security. That same year was OSTIF’s first collaboration with security firm Trail of Bits, working together to complete an audit of RandomX. Since then our two companies have worked together on 12 security audits of open source projects, united in our goal for a safer and more secure open source environment. 

OSTIF’s process for determining an audit team for a given project is discerning and objective. Based on a process of comparing competing bids of project proposals, projects are paired with a team who must be experienced, capable, and inquisitive. In this way, it has come to be that Trail of Bit’s Open Source teams have worked with OSTIF on projects like Linux kernel, cURL, KEDA, and Flux to name a few. These engagements varied across needs and skill sets, resulting in a wide range of experiences and documentation. Trail of Bits has demonstrated the ability to work with diverse open source projects across demanding and different security needs and goals, and we at OSTIF can attest to their high level execution of work we have experienced first hand. 

Trail of Bits has written a blog detailing some of our audit work completed together in 2023. The post goes over nine projects our two organizations have collaborated on. There’s more to come in that regard- watch for another blog post by Trail of Bits detailing current and future audits.

OSTIF is proud to have facilitated these past engagements, and we look forward to bringing more security to open source projects. Through the help of Trail of Bits, and community members like yourself, we can make 2024 a pinnacle year for advancing security in the open source ecosystem.