2025 Bug of the Year Award The Open Source Technology Improvement Fund is a non profit organization that specializes in security engagements for open source projects. We create bridges between the complex web of entities that are necessary to carry out a third party security audit. A cornerstone of that…
The Open Source Technology Improvement Fund is proud to share the results of our security audit of Stork. Stork is an open source project developed by the Internet Systems Consortium (ISC) that acts as an administrative interface for monitoring, maintaining, and surveilling Kea servers. With the help of 7ASecurity, this…
For the past 4 years, OSTIF has run a Managed Audit Program for the CNCF. We’ve audited 33 projects in that time, working with maintainers all over the world to reinforce the security health of cloud native open source for billions of end users. Security audits are an effective, sustainable…
OSTIF is excited to announce our membership in the Open Source Initiative’s Open Policy Alliance. Contributing to cybersecurity policy is part of OSTIF’s mission to educate around the importance of security to sustainable open source longevity. Working with the global community that makes up the Alliance is an honor. We…
The open source community has been abuzz for the past two years about European governance in open source software. From casual meetups to professional conferences, the implication of government funding and regulation of the free-use software sector has resulted in heavily debated discourse around the legal, financial, societal, and functional…
OSTIF is proud to share the results of our security audit of Fastify. Fastify is an open source overhead web framework for Node.js, which prioritizes speed while maintaining expansibility and approachability. This audit was possible through the efforts of Ada Logics and the support of the OpenJS Foundation. Audit Process: First…
Why OSTIF? There’s a lot of misconceptions that cause stagnation when it comes to procuring and participating in security audits. How does one even begin to get an audit, much less fund it? There is too much work involved, and not enough help from the auditors. It’s just a way…
OSTIF is proud to share the results of our fuzzing audit of LLVM. The LLVM project is a compilation of modular and reusable compiler and toolchain technology. Having completed this fuzzing audit with the help of Ada Logics and the Sovereign Tech Fund, LLVM can experience a deeper and more…
OSTIF is proud to share the results of our security audit of Jackson subprojects. Jackson-dataformats-binary, Jackson-dataformats-text, Jackson-dataformat-xml, Jackson-datatype-joda, and Jackson-datatypes-collections are open source subprojects that contribute to Jackson (described as “JSON for Java”). With the help of Ada Logics and the Sovereign Tech Fund, these subprojects will be more secure…
In collaboration with Amazon Web Services and the Eclipse Foundation, OSTIF is excited to release our Independent Security Audit Impact Report for 2023! Over the past year, OSTIF worked with 10 projects to complete third-party security audits with funding supplied by AWS and the EF. The engagement oversaw 24 new…