The Open Source Technology Improvement Fund, Inc (OSTIF) is a corporate non-profit dedicated to securing critical open source projects. Securing software isn’t easy, and OSTIF knows what it takes to succeed. By facilitating audits and associated work, OSTIF makes it easy for projects to significantly improve security.
OSTIF adds value to the open-source ecosystem by making it easy for critical projects and the organizations and communities that depend on these projects to get expert security review. The process focuses on comprehensively improving security posture through closing classes of bugs, fixing vulnerabilities, and improving tooling.
The result of OSTIF's work is the fixing of vulnerabilities, patching of bugs and more importantly classes of bugs, and improvement in security posture.
Linux Kernel
OSTIF facilitated a coalition of experts to review the Linux Kernel’s practices and policies around how security vulnerabilities are reported to the kernel team, how those reports are processed and addressed, and how those vulnerabilities are disclosed to the public. Full report: https://ostif.org/a-review-of-the-linux-kernels-vulnerability-reporting-and-remediation/
OSTIF then coordinated a review of the Linux Kernel teams’ processes for release signing and for the policies and procedures for the handling of the signing keys. Full report: https://ostif.org/a-review-of-the-linux-kernels-release-signing-and-key-management-policies/
UnboundDNS
One Critical, Five High, and Five Medium severity issues were found, with an additional 39 issues that were rated as low or informational severity. Full report: https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
OpenSSL 1.1.1
OSTIF's work on OpenSSL led to a total of 16 recommendations and changes in OpenSSL. Furthermore, reasonable assurance of a secure implementation of the new TLS 1.3 features and changes made to the Pseudo Random Number Generator (PRNG) was gained. Full report: https://ostif.org/the-ostif-and-quarkslab-audit-of-openssl-is-complete/