50th Audit Milestone

Open Source Technology Improvement Fund (OSTIF) is beyond proud to announce the completion of our 50th security audit. Since 2015, the nonprofit organization has worked to provide actualized security support to open source projects in a way that is transparent, public, and impactful. We work with open source projects that…

Continue Reading50th Audit Milestone

Dampening Vulnerabilities in Dapr: Security Audit of Dapr

In May and June of 2023, OSTIF and ADA Logics worked with the open source project Dapr on a holistic security audit. The Distributed Application Runtime (or Dapr) is a project for building distributed applications across cloud and edge. It is an easy, portable, and serverless way to build sustainable…

Continue ReadingDampening Vulnerabilities in Dapr: Security Audit of Dapr

The OSTIF Audit of Curl with Trail of Bits is Complete

Results of curl Security Audit  By: Amir Montazery, OSTIF Open Source Technology Improvement Fund (OSTIF) is thrilled to announce the results of a security audit and threat model for curl. In development since 1998, curl is a command line tool and library for transferring data with URLs. Curl is used…

Continue ReadingThe OSTIF Audit of Curl with Trail of Bits is Complete

Our Audit of sigstore is complete. High risk vulnerability found and fixed.

We’re excited to report the results for the security audit of sigstore.  Sigstore is a new standard for signing, verifying and protecting software; and has quickly grown into a premier tool for securing the software supply chain. The security review was facilitated by Open Source Technology Improvement Fund and carried…

Continue ReadingOur Audit of sigstore is complete. High risk vulnerability found and fixed.

Our Audit of Argo is Complete. Critical and High Severity Security Issues Found and Fixed.

Open Source Technology Improvement Fund is happy to report the results of yet another security audit, this time of the Argo project. The Argo project is a collection of tools for getting work done with Kubernetes. The main components of Argo audited are:  Argo Workflows - Container-native Workflow Engine Argo…

Continue ReadingOur Audit of Argo is Complete. Critical and High Severity Security Issues Found and Fixed.

Our Audit of KubeEdge is Complete. Multiple Security Issues Found and Fixed.

Open Source Technology Improvement Fund (ostif.org) is thrilled to report the results of a security audit of KubeEdge. KubeEdge is an edge computing framework built on top of Kubernetes and extends native containerized application orchestration and management to hosts at the edge. The result of this engagement is the finding…

Continue ReadingOur Audit of KubeEdge is Complete. Multiple Security Issues Found and Fixed.

Our Audit of CRI-O is Complete – High Severity Issues Found and Fixed

Open Source Technology Improvement Fund is thrilled to report the results of a security audit of CRI-O. CRI-O is an open source software (OSS) project that is an implementation of the Kubernetes Container Runtime Interface. It can run any OCI-compatible container, providing an enormous number of applications and environments.  The…

Continue ReadingOur Audit of CRI-O is Complete – High Severity Issues Found and Fixed

Congratulations to Guido Vranken for earning our first bug bounty!

Security researcher Guido Vranken has had the honor of being our first bug bounty payout totaling $5000 USD for his work on fuzzing OpenVPN 2.4.2 and finding a variety of memsafe and error handling flaws, responsibly disclosing them, and working with OSTIF and the OpenVPN security team to integrate his…

Continue ReadingCongratulations to Guido Vranken for earning our first bug bounty!