Become a Sponsor
Why Sponsor OSTIF?
The Open Source Technology Improvement Fund is a corporate nonprofit with the mission to improve the long-term security and sustainability of critical open-source projects. We are a premier partner and advocate for the advancement of open-source software security. This is done mainly by helping organizations and communities gain access to better security resources.
We strengthen the security and integrity of infrastructure that all organizations and their clients depend on.
We have developed a deep network of security experts, audit groups, corporate representatives, and FOSS advocates working to support our mission. Our efforts have resulted in the patching of hundreds of security bugs impacting billions of users globally. We are extremely grateful to the 25+ organizations and individual donors who have already supported us.
Software security is complex, and the process of finding appropriate security engineers with the right scope and price is even more difficult. OSTIF’s role in the open source community is to help projects get through the process with as few headaches as possible with full transparency and trust. All too often, projects are overpaying on rates, hours, or for unqualified contractors to review their code.
OSTIF provides:
Assistance with Scoping – We help identify appropriate areas of code coverage for your project’s security review, and select a scope that gives your project the most benefit based on your projects use-case, the codebase itself, your dependencies, and the security practices that your project already utilizes. Appropriate scoping reduces costs while making security review more effective by allowing the engineers to spend their time in the most effective areas.
Assistance with Pricing – We have spent years building a network of vetted security partners, whom all bid on your project. This acts as an aggressive price control that saves projects that work with us thousands every year, while only allowing top security professionals with novel published research in your projects scope to review your project.
Assistance with Quality Control – We closely monitor the audit process as it proceeds, and act as a mediator in disputes over the reporting and severity of security bugs that are found. Reports are repeatedly revised until all parties are happy with the content of the report before public disclosure.
Assistance with Banking – Many open source projects are not full business entities with bank accounts or staff. OSTIF can provide a place to fund-raise for your project without needlessly spending months creating a formal business entity.
Nonprofit Status – OSTIF is a 501(c)3 charitable organization, keyed under scientific research. Donations to OSTIF are tax write offs in the United States. This can encourage corporate donations in your project’s security review.
Remediation – We instruct our security teams to seek opportunities to close classes of bugs from projects. If the auditors spot an issue that seems to reoccur multiple times throughout the same review, they are instructed to provide remediation steps so that not only are the existing bugs squashed, but an improvement in practices can permanently prevent the issue from reoccurring as the project continues to develop and grow.
Transparency – OSTIF acts as a neutral third party. We always disclose our work to the public in full, with a short synopsis page that describes the review in a ~10 minute read, and with the full paper available for public consumption. This provides your project with more than increased trust from the public; It provides OSTIF with a peer review process that allows critique of our work and results, and it allows administrators and developers around the world to consider your project for integration into their work.
MORE – Every project is unique. We consider the novel challenges that every project faces, and work to help solve those problems.
Partnership Process
OSTIF is leading the way by crowdsourcing good people and good ideas. Our work has resulted in countless hours of security research and bug patches, with billions of systems improved.
01 Donate
Corporate sponsorship is the most effective way to get involved. Simply provide funding and we take care of the rest, maximizing return and impact. Platinum sponsors steer the organization forward and earmark funds for specific projects.
02 Audit
OSTIF manages the audit from start to finish. We source bids and build the best team to do the work. An in-depth source code analysis and logic review is done, resulting in bug fixes and improvements to functionality and security.
03 Publish
After all fixes and improvements have been made to the software, we publish the results of the audit. Top sponsoring organizations get recognition on published audit work, resulting in significant coverage.
04 Result
Improved software can directly and notably reduce risk in the software stacks that are used by organizations worldwide, leaving the sponsoring organization (and the world!) better equipped to prevent future adverse events.