A Review of the Linux Kernel’s Vulnerability Reporting and Remediation

The Linux Foundation has sponsored a review of the Linux Kernel's practices and policies around how security vulnerabilities are reported to the kernel team, how those reports are processed and addressed, and how those vulnerabilities are disclosed to the public. OSTIF, working with the team at Atredis Partners and a…

Continue Reading A Review of the Linux Kernel’s Vulnerability Reporting and Remediation

The Linux Foundation Public Health Initiative Sponsored the Audit of COVID Exposure Notification Apps. Here Are The Results!

The Linux Foundation's Public Health (LFPH) initiative has sponsored audits of two COVID-19 exposure notification apps, COVID Shield and COVID Green. As part of their stewardship of these projects, the Linux Foundation decided that it would be prudent to perform due diligence by reviewing the design and code of the…

Continue Reading The Linux Foundation Public Health Initiative Sponsored the Audit of COVID Exposure Notification Apps. Here Are The Results!

We are Raising Money to Audit Unbound DNS

We have just completed our review of OpenSSL 1.1.1 with QuarksLab, and we are moving on to our next big project, Unbound DNS! What is Unbound and Why is it Important? One of the core functions of the internet is domain name resolution. This means that when you type in…

Continue Reading We are Raising Money to Audit Unbound DNS

The OSTIF and Quarkslab Audit of OpenSSL is Complete

We would like to thank our sponsors Private Internet Access and DuckDuckGo for helping to fund this security review, as well as all of our  donors and individual supporters. This crucial work doesn’t happen without support from the community. The quick and dirty: OpenSSL version 1.1.1 was evaluated with special foci on new TLS…

Continue Reading The OSTIF and Quarkslab Audit of OpenSSL is Complete

Our Review of the OpenSSL 1.1.1 Random Number Generation Update

We have completed the security review of the new Pseudorandom Number Generator (PRNG) for OpenSSL1.1.1. This security review was sponsored by Private Internet Access, ExpressVPN, DuckDuckGo, OpenVPN, and the privacy community. Random number generation is a crucial component in all cryptography, because the “randomness” of numbers is the mechanism that makes secret numbers hard to guess. Problems…

Continue Reading Our Review of the OpenSSL 1.1.1 Random Number Generation Update

The QuarksLab and Kudelski Security audits of Monero Bulletproofs are Complete

Kudelski Security has done a review of Monero Bulletproofs, a specific type of range proof based on new cryptography by Benedikt Bunz et al. Bulletproofs is a trustless proofs setup that is substantially smaller than the current Borromean style range proofs that are currently used, promising to make Monero transactions 10-20%…

Continue Reading The QuarksLab and Kudelski Security audits of Monero Bulletproofs are Complete
OSTIF is Working with Monero Research Lab on Bulletproofs
Monero cryptocurreny theme with computer motherboard theme

OSTIF is Working with Monero Research Lab on Bulletproofs

OSTIF is Working with Monero Research Lab on Bulletproofs We are happy to announce that we have been working with the Monero project to help them locate auditing resources for Bulletproofs. This code review is to evaluate the safety of the implementation of Bulletproofs into Monero, which promises to dramatically…

Continue Reading OSTIF is Working with Monero Research Lab on Bulletproofs

The OpenVPN 2.4.0 Audit by OSTIF and QuarksLab Results

OpenVPN 2.4.0, the NDIS6 TAP Driver for Windows, the Windows GUI, and Linux versions were evaluated. This release included a number of new features including control channel encryption. QuarksLab found: 1 Critical/High Vulnerability CVE-2017-7478 1 Medium Vulnerability CVE-2017-7479 5 Low or Informational Vulnerabilities / Concerns This public disclosure of these vulnerabilities coincides with the release of OpenVPN 2.4.2 which fixes…

Continue Reading The OpenVPN 2.4.0 Audit by OSTIF and QuarksLab Results

The VeraCrypt Audit Results

VeraCrypt 1.18 and its bootloaders were evaluated. This release included a number of new features including non-western developed encryption options, a boot loader that supports UEFI (modern BIOSes), and more. QuarksLab found: 8 Critical Vulnerabilities 3 Medium Vulnerabilities 15 Low or Informational Vulnerabilities / Concerns This public disclosure of these vulnerabilities coincides with the release of VeraCrypt 1.19…

Continue Reading The VeraCrypt Audit Results

OSTIF + QuarksLab Audit of VeraCrypt Completed – Phase II Begins

OSTIF + QuarksLab Audit of VeraCrypt Completed - Phase II Begins The audit of VeraCrypt has been completed, and the final report is being created over the coming days. The VeraCrypt developers have the preliminary results and we are working with both VeraCrypt and QuarksLab on the timetable for releasing…

Continue Reading OSTIF + QuarksLab Audit of VeraCrypt Completed – Phase II Begins