We are delighted to announce that the Open Source Technology Improvement Fund has surpassed it’s target goal of $71,000 USD with two weeks of fundraising to spare! We are continuing to seek donations until fundraising officially ends on January 1st.
Our community: A coalition for positive change and a stronger OpenVPN.
This accomplishment is due to an overwhelmingly strong response from the community, where we have built a coalition of 33 companies and many individuals who have donated and helped spread the word about our cause.
We want to give a special thank you to our largest supporters Private Internet Access and iPredator, whose generous contributions make up more than half of the total money raised! Their help is instrumental in making this audit happen and moving the effort forward. We also want to thank ThatOnePrivacyGuy from ThatOnePrivacySite for helping us create incentives for VPN providers to contribute to the cause through a special recognition category for VPNs that contribute back to the privacy community. And a special thank you to the Reddit community for helping us spread the word around the world about our cause.
Why does fundraising continue? Where does money raised beyond the goal go?
The overflow funds are being reserved for the bug bounty program that will begin after the OpenSSL audit finishes in mid 2017. This will be a program where researchers can submit new security bugs to the developers of the projects that have already been audited by OSTIF for up to $5000 in rewards. When this program begins, it will cover VeraCrypt, OpenVPN, and OpenSSL and OSTIF will need a $50,000 pool to set aside for award payouts that will need to be periodically replenished by donations overages from other projects. The bug-bounty program is the crucial next-step in improving our supported apps. It draws in the attention of reverse-engineers, white hats, and academics to do additional research into the functionality of the apps and find irregularities that can lead to security vulnerabilities. After a professional audit, bringing the eyes of the crypto world to the project is what will keep these apps as strong as they can possibly be.
What is the next step in the OpenVPN audit process?
Now that we have the funds, we will contact QuarksLab and reserve a team of two senior researchers to conduct the audit. We have decided internally that because we already have a world-renowned cryptographer auditing the core crypto of OpenVPN (Dr Matthew Green), our team of researchers will focus on software vulnerabilities and exploit analysis. We think that these combinations of skills will lead to the best possible analysis of OpenVPN as a whole.
We have a tentative agreement for the head of our QuarksLab team to be Gabriel Campana. Those in security circles might remember his recent impressive Qubes OS + Xen Paravirtualization escape exploit. This elegant exploit chain allowed an attacker to take full control of a Xen based server that was running Qubes OS, one of the most security focused Linux distros today. In the demonstration, a simple script allowed the user to escape the Qubes instance and take full control of any other instance in the machine, regardless of permissions. We can also see some of his excellent audit work on set-top boxes here.
Thank You All For Supporting OSTIF
This is an enormous accomplishment for OSTIF and the privacy community. Thank you to each and every person who contributed to the project by donating and spreading the word. We are going to continue to do great things and make a real difference in the safety of the digital world that we all share.