The Open Source Technology Improvement Fund is a corporate non-profit organization that connects open-source security projects with much needed funding and logistical support. We do this through public fund-raising and the solicitation of donations from corporate and government donors.
Now more than ever, the world needs strong open-source security software. Because of the lack of a profit motive, core open-source projects are woefully underfunded and their resources are lacking.
This leaves crucial Internet infrastructure susceptible to bugs, poor documentation, poor performance, slow release schedules, and even espionage. OSTIF funds and supports the most critical open-source projects, with the aim of strengthening the security of the entire Internet.
OSTIF enhances security for users everywhere.
We do this through security reviews. A focused and correctly scoped security review, executed by an experienced team, results in significant and long-lasting improvements to software.
Our expert reviews have resulted in hundreds of bug patches, including over 20 with a Critical or High severity. As a result, we have made the Internet safer for users all over the world.
OSTIF’s Audit Process
Step 1: Coordinate
OSTIF meets with you one-on-one to understand your needs and define a preliminary scope. Bids are collected from a diverse network of auditors and analyzed based on cost and expertise.
Step 2: Audit
After approval, the audit team gets to work. You are provided with updates as the review progresses. OSTIF manages the process and acts as a neutral party to handle any questions or concerns.
Step 3: Patch
Auditors supply you with the results of the evaluation and assist with fixes and strengthening the code. This process allows for lasting impact on the software’s security.
Step 4: Release Report and Maintain
The updated code and audit report are released to the public. This provides assurance to users that the software has been expertly reviewed.
A security audit can provide quick project improvments, but are just the beginning of a long-term maintenance process. Further activities including bug bounties, supplemental reviews of new updates, and additional audits are available through OSTIF.
Why Open-Source Projects and Corporate Clients Partner With OSTIF
OSTIF’s mission is to improve the long-term security and sustainability of critical open-source projects. Our vision is to be a premier partner and advocate for advancing the security of open-source software. We do this by helping organizations and communities gain access to better security resources. OSTIF has spent the last 5+ years developing a deep network of security experts, audit groups, corporate representatives, and FOSS advocates, all working to fulfill its mission.
Open-source projects and corporations of all sizes partner with OSTIF because we make the process incredibly easy. We provide end-to-end assistance with every phase of a security project.
We work with you one-on-one to help identify appropriate areas of code coverage for your project’s security review, and select a scope that gives your project the most benefit.
We have spent years building a network of vetted security partners, who all bid on your project. Our bidding and scoping process results in significant cost savings and assurance that the review is focused on the right things.
We closely monitor the audit process as it proceeds, and act as a mediator in disputes over the reporting and severity of security bugs that are found.
We provide a place to fund-raise for your project without needlessly spending months creating a formal business entity. Furthermore, our nonprofit status provides further cost and tax benefits.
Procuring high quality audit resources while keeping costs in check requires a significant amount of scoping and coordination. OSTIF handles the process from start to finish and delivers an audit report to document the process and fixes. Our bidding process and diverse network ensures that costs are managed, and audits are correctly scoped and staffed.
If your team is interested in procuring a security review with OSTIF, or if you have questions and want to learn more, get in touch with us! We have learned that a personal touch and hands-on approach creates better results. The best way to contact us is to e-mail our CEO directly with a brief introduction and the best way to contact you. His email is shown below:
To learn more about OSTIF, read about our accomplishments and goals.
Open Source Technology Improvement Fund, Inc. (OSTIF) was founded in 2015 with the mission of connecting open-source projects with much needed funding and logistical support.
Since then, over 3,000 hours of audit work for critical open-source software has been coordinated. This security work has resulted in the patching of hundreds of security bugs, impacting billions of users globally. We have partnered with more than 25 organizations to coordinate audits for a variety of open-source projects, such as OpenSSL, OpenVPN, and Unbound DNS.
As a 501(c)3 nonprofit organization, OSTIF has remained devoted to strengthening the Internet by improving the security of free and open-source software. We are committed to helping our partners and clients get the resources they need to maintain secure and reliable software.
“OSTIF has had a long journey, from a list of issues on a sheet of paper to a worldwide coalition of people and businesses working together to create a safer digital world us all.”
‐ Derek Zimmer, Chief Executive Officer
We enhance the world’s security software by providing crucial support and resources to major and noteworthy open-source projects. Success involves a 3 point strategy:
- Bug Bounties– The OSTIF creates bounties that will be paid out to anyone who finds a major security bug in any of our supported projects. These grants incentivize the world to comb through the code of our projects and look for problems, dramatically improving the worlds confidence in the integrity and security of the projects.
- Direct Code Improvements Through Grants– The OSTIF gives grants to worthy projects in order to facilitate code changes to make improvements or upgrades to existing projects, allowing them to advance in quality, features, or proper documentation of code at a much faster pace.
- Professional Audits– The OSTIF gives grants to well-known professionals to audit code and look for bugs, back doors, or other errata. This will add another layer of confidence to the integrity and security of the projects.
Education – The OSTIF builds public knowledge about how to use open-source software to protect their digital privacy and secure their data.
Through these avenues the Open Source Technology Improvement Fund improves the critical security infrastructure of the Internet and be a force for strong security and privacy in the world.