The Open Source Technology Improvement Fund is a corporate non-profit organization that connects open-source security projects with much needed funding and logistical support. This core value is driven by public fund-raising and by soliciting donations from corporate and government donors.
Why the OSTIF is important:
Now more than ever, the world realizes the need for strong open-source security software. Because of the lack of a profit motive, open-source programs are woefully underfunded and their resources are lacking, despite their central role in the Internet. This leaves crucial Internet infrastructure susceptible to bugs, poor documentation, poor performance, slow release schedules, and even espionage. Raising money through various funding sources allows the OSTIF to fund and support the most critical open-source projects, with the aim of strengthening the Internet for the world.
How the OSTIF enhances the security of the world:
A focused and correctly scoped security review executed by an experienced team results in significant and long-lasting improvements to software. According to Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits by Lillian Ablon and Andy Bogart, “For products that have a longer life, are more complex, are popular with a large market share, or are high revenue generators, more people have evaluated the code bases, and finding vulnerabilities often requires more in-depth auditing, logic review, and source code analysis, in order to go several layers deep.” This has been the case with OSTIF, as our expert reviews have resulted in hundreds of bug patches, including the patching of over 20 Critical/High Impact Vulnerabilities.
OSTIF’s Audit Process
|Step 1: Coordinate
OSTIF meets with you one-on-one to get to know you and understand your needs. Once a preliminary scope is defined, OSTIF sources professional auditors and experts from a diverse network. Bids are collected and analyzed based on cost and team expertise. After coordination and approval, OSTIF organizes communication between you and the audit team and moves the review forward.
|Step 2: Audit
The audit team gets to work. Code is evaluated for vulnerabilities based on the scope of the review. You are provided with updates as the review progresses. OSTIF manages the process and acts as a neutral party should any questions or concerns arise.
|Step 3: Patch
Auditors supply you with the results of the evaluation and assist with fixes and strengthening the code. This process allows for lasting impact on the software’s security.
|Step 4: Release Report and Maintain
The updated code and audit report are released to the public. This provides assurance to users that the software has been expertly reviewed. Further maintenance via bug bounties, supplemental reviews of new updates, and additional audits are all available through OSTIF.
Why Open-Source Projects and Corporate Clients Partner With OSTIF
OSTIF’s mission is to improve the long-term security and sustainability of critical open-source projects. Our vision is to be a premier partner and advocate for advancing the security of open-source software. We do this by helping organizations and communities gain access to better security resources. OSTIF has spent the last 5+ years developing a deep network of security experts, audit groups, corporate representatives, and FOSS advocates, all working to fulfill its mission.
Open-source projects and corporations of all sizes partner with OSTIF because we make the process incredibly easy. We provide end-to-end assistance with:
|Scoping||We work with you one-on-one to help identify appropriate areas of code coverage for your project’s security review, and select a scope that gives your project the most benefit.|
|Pricing||We have spent years building a network of vetted security partners, who all bid on your project. Our bidding and scoping process results in significant cost savings and assurance that the review is focused on the right things.|
|Quality Control||We closely monitor the audit process as it proceeds, and act as a mediator in disputes over the reporting and severity of security bugs that are found.|
|Banking and Administration||We provide a place to fund-raise for your project without needlessly spending months creating a formal business entity. Furthermore, our nonprofit status provides further cost and tax benefits.|
Procuring high quality audit resources while keeping costs in check requires a significant amount of scoping and coordination. OSTIF handles the process from start to finish and delivers an audit report to document the process and fixes. Our bidding process and diverse network ensures that costs are managed, and audits are correctly scoped and staffed.
Call to Action
If your team is interested in procuring a security review with OSTIF, or if you have questions and want to learn more, get in touch with us! We have learned that a personal touch and hands-on approach creates better results. The best way to contact us is to e-mail our CEO directly with a brief introduction and the best way to contact you. His email is shown below:
More info about OSTIFs work: https://ostif.org/ostifs-accomplishments-and-goals/
Open Source Technology Improvement Fund, Inc. (OSTIF) was founded in 2015 with the mission of connecting open-source projects with much needed funding and logistical support. Since then, over 3,000 hours of audit work for critical open-source software has been coordinated. This security work has resulted in the patching of hundreds of security bugs, impacting billions of users globally. We have partnered with more than 25 organizations to coordinate audits for a variety of open-source projects, such as OpenSSL, OpenVPN, and Unbound DNS.
As a 501(c)3 nonprofit organization, OSTIF has remained devoted to strengthening the Internet by improving the security of free and open-source software. We are committed to helping our partners and clients get the resources they need to maintain secure and reliable software.
“OSTIF has had a long journey. From a list of issues on a sheet of paper to a worldwide coalition of people and businesses working together to create a safer digital world for all of us.”
–Derek Zimmer, Chief Executive Officer
We enhance the worlds security software by providing crucial support and resources to major and noteworthy open-source projects. Success involves a 3 point strategy.
- Bug Bounties – The OSTIF creates bounties that will be paid out to anyone who finds a major security bug in any of our supported projects. These grants incentivize the world to comb through the code of our projects and look for problems, dramatically improving the worlds confidence in the integrity and security of the projects.
- Direct Code Improvements Through Grants – The OSTIF gives grants to worthy projects in order to facilitate code changes to make improvements or upgrades to existing projects, allowing them to advance in quality, features, or proper documentation of code at a much faster pace.
- Professional Audits – The OSTIF gives grants to well-known professionals to audit code and look for bugs, back doors, or other errata. This will add another layer of confidence to the integrity and security of the projects.
Education – The OSTIF builds public knowledge about how to use open-source software to protect their digital privacy and secure their data.
Through these avenues the Open Source Technology Improvement Fund improves the critical security infrastructure of the Internet and be a force for strong security and privacy in the world.