The Open Source Technology Improvement Fund is proud to share the results of our security audit of Volcano. Volcano is an open source cloud native batch scheduling system offering among other things queue management and multi-cluster scheduling. With the help of Ada Logics and the Cloud Native Computing Foundation (CNCF), this project can move forward in the process of the CNCF’s graduation program.
Audit Process:
This audit work took place over 5 weeks in March and April of 2025, carried out by a three person team from Ada Logics. Scoped to the main branch of the Volcano project, the audit work focused on threat modelling, manual auditing, and fuzzing the codebase. This work resulted in improved secure by default processes, ongoing fuzz testing, and reduced risk to users. Available to read in the audit report is a detailed and illustrated threat model of Volcano including its trust boundaries, example attacks, and threat actors.
Audit Results:
- 10 issues with security impact
- 1 High, issued a CVE (CVE-2025-32777)
- 5 Medium
- 4 Low/Informational
- Custom Threat Model
- Integrated onto OSS-Fuzz
- 2 custom fuzzers written for Volcano
The Volcano maintainers have resolved all issues reported by this audit work. OSTIF would like to thank the maintainer team of Volcano for their participation during this engagement and efforts quickly fixing the findings of the audit.
Thank you to the individuals and groups that made this engagement possible:
- Volcano maintainers and community, especially: William Wang and Xavier Chang
- Ada Logics: Arthur Chen, Adam Korczynski, David Korczynski
- The Cloud Native Computing Foundation
You can read the Audit Report HERE
You can read the Ada Logics and Volcano Blog HERE
OSTIF is celebrating our 10 year anniversary! Join us for a meetup about our work, lessons learned, and where we see the future of open source security going by following our meetup calendar https://lu.ma/ostif-meetups