Why OSTIF? – What OSTIF Does for your Open Source Project

Software security is complex, and the process of finding appropriate security engineers with the right scope and price is even more difficult. OSTIF’s role in the open source community is to help projects get through the process with as few headaches as possible with full transparency and trust. All too often, projects are overpaying on rates, hours, or for unqualified contractors to review their code.

OSTIF provides:

Assistance with Scoping – We help identify appropriate areas of code coverage for your project’s security review, and select a scope that gives your project the most benefit based on your projects use-case, the codebase itself, your dependencies, and the security practices that your project already utilizes. Appropriate scoping reduces costs while making security review more effective by allowing the engineers to spend their time in the most effective areas.

Assistance with Pricing – We have spent years building a network of vetted security partners, whom all bid on your project. This acts as an aggressive price control that saves projects that work with us thousands every year, while only allowing top security professionals with novel published research in your projects scope to review your project.

Assistance with Quality Control – We closely monitor the audit process as it proceeds, and act as a mediator in disputes over the reporting and severity of security bugs that are found. Reports are repeatedly revised until all parties are happy with the content of the report before public disclosure.

Assistance with Banking – Many open source projects are not full business entities with bank accounts or staff. OSTIF can provide a place to fund-raise for your project without needlessly spending months creating a formal business entity.

Nonprofit Status – OSTIF is a 501(c)3 charitable organization, keyed under scientific research. Donations to OSTIF are tax write offs in the United States. This can encourage corporate donations in your project’s security review.

Remediation – We instruct our security teams to seek opportunities to close classes of bugs from projects. If the auditors spot an issue that seems to reoccur multiple times throughout the same review, they are instructed to provide remediation steps so that not only are the existing bugs squashed, but an improvement in practices can permanently prevent the issue from reoccurring as the project continues to develop and grow.

Transparency – OSTIF acts as a neutral third party. We always disclose our work to the public in full, with a short synopsis page that describes the review in a ~10 minute read, and with the full paper available for public consumption. This provides your project with more than increased trust from the public; It provides OSTIF with a peer review process that allows critique of our work and results, and it allows administrators and developers around the world to consider your project for integration into their work.

MORE – Every project is unique. We consider the novel challenges that every project faces, and work to help solve those problems.