Skip to content

Security Work and Manual Reviews facilitated by Open Source Technology Improvement Fund, aka OSTIF

Notifications You must be signed in to change notification settings

ostif-org/OSTIF

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

What is OSTIF?

The Open Source Technology Improvement Fund, Inc (OSTIF) is a corporate non-profit dedicated to securing critical open source projects. Securing software isn’t easy, and OSTIF knows what it takes to succeed. By facilitating audits and associated work, OSTIF makes it easy for projects to significantly improve security.

How does OSTIF add value?

OSTIF adds value to the open-source ecosystem by making it easy for critical projects and the organizations and communities that depend on these projects to get expert security review. The process focuses on comprehensively improving security posture through closing classes of bugs, fixing vulnerabilities, and improving tooling.

Preview of results:

The result of OSTIF's work is the fixing of vulnerabilities, patching of bugs and more importantly classes of bugs, and improvement in security posture.

Linux Kernel

OSTIF facilitated a coalition of experts to review the Linux Kernel’s practices and policies around how security vulnerabilities are reported to the kernel team, how those reports are processed and addressed, and how those vulnerabilities are disclosed to the public. Full report: https://ostif.org/a-review-of-the-linux-kernels-vulnerability-reporting-and-remediation/

OSTIF then coordinated a review of the Linux Kernel teams’ processes for release signing and for the policies and procedures for the handling of the signing keys. Full report: https://ostif.org/a-review-of-the-linux-kernels-release-signing-and-key-management-policies/

UnboundDNS

One Critical, Five High, and Five Medium severity issues were found, with an additional 39 issues that were rated as low or informational severity. Full report: https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/

OpenSSL 1.1.1

OSTIF's work on OpenSSL led to a total of 16 recommendations and changes in OpenSSL. Furthermore, reasonable assurance of a secure implementation of the new TLS 1.3 features and changes made to the Pseudo Random Number Generator (PRNG) was gained. Full report: https://ostif.org/the-ostif-and-quarkslab-audit-of-openssl-is-complete/

An overview of OSTIF's Security Reviews can be found here

Open Source Project In Need Of Security Help? Check out OSS Resources

About

Security Work and Manual Reviews facilitated by Open Source Technology Improvement Fund, aka OSTIF

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published