BADHOST OSTIF is disclosing the expanded details of the BadHost vulnerability in Starlette as slow uptake of updated versions of Starlette and discovery of more vulnerable live services has caused us serious concerns. I’d like to open by saying that the maintainer of Starlette is having a bad few weeks.…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of Paramiko. Paramiko is an open source Python implementation of the SSHv2 protocol designed for secure remote login and other secure network services. Thanks to the help of Quarkslab and Alpha-Omega, this project received…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of LibVLC. LibVLC is the open source core engine and foundation of VLC media player. With auditing by Trail of Bits and funding provided by the Sovereign Tech Agency, LibVLC received scoped security work,…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of Inspektor Gadget. Inspektor Gadget is a collection of open source libraries and tools for data collection and inspection of Kubernetes clusters and Linux hosts. With the help of Shielder and the Cloud Native…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of Requests, CacheControl, and urllib3. Requests is a widely used, elegant HTTP library for Python, designed to make HTTP requests simple and human-friendly, CacheControl is a port of the caching algorithms from httplib2 for…
For the past 4 years, OSTIF has run a Managed Audit Program for the CNCF. We’ve audited 33 projects in that time, working with maintainers all over the world to reinforce the security health of cloud native open source for billions of end users. Security audits are an effective, sustainable…
OSTIF is a proud participant in the Sovereign Tech Agency's Sovereign Tech Resilience Program. Outside of that work, we've also been funded to carried out ad hoc security engagements on critical open source software. Funding security solutions that are quantifiable, sustainable, and verifiable is an important part of the Sovereign…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of zlib. Zlib is an open source lossless data-compression library for use on virtually any computer hardware and operating system. Thanks to the efforts of 7ASecurity and the Sovereign Tech Resilience Program, this project underwent…
2025 marked the 10th year of OSTIF. This year, we published 24 audits, worked on behalf of almost 50 projects, and partnered with 10 different funding bodies to create security outcomes for open source projects. As a result, 231 findings with security impact have been reported and over 98% of…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of CRI-O. CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI) that is OCI-compliant (-O) that provides the backend between OCI-format container images and the Kubernetes control plane. With the help of…