The Open Source Technology Improvement Fund, Inc (OSTIF) is a corporate non-profit dedicated to securing critical open source projects. Securing software is complex, and OSTIF builds on a body of work spanning over 10 years and 20,000 hours of experience. By facilitating focused engagements like security audits, vulnerability fixes, testing improvements, supply chain hardening, and more, OSTIF makes it easy for projects and stakeholders significantly improve security posture.
OSTIF adds value to the open-source ecosystem by making it easy for critical projects and the organizations and communities that depend on these projects to get expert security review. The process focuses on comprehensively improving security posture through closing classes of bugs, fixing vulnerabilities, and improving tooling. Needs are addressed and gaps in testing are patched.
The result of OSTIF's work is the fixing of vulnerabilities, patching of bugs and more importantly classes of bugs, and improvement in security posture.
Full Results at Completed-Engagements.md
Linux Kernel
OSTIF facilitated a coalition of experts to review the Linux Kernel’s practices and policies around how security vulnerabilities are reported to the kernel team, how those reports are processed and addressed, and how those vulnerabilities are disclosed to the public. Full report: https://ostif.org/a-review-of-the-linux-kernels-vulnerability-reporting-and-remediation/
OSTIF then coordinated a review of the Linux Kernel teams’ processes for release signing and for the policies and procedures for the handling of the signing keys. Full report: https://ostif.org/a-review-of-the-linux-kernels-release-signing-and-key-management-policies/
UnboundDNS
One Critical, Five High, and Five Medium severity issues were found, with an additional 39 issues that were rated as low or informational severity. Full report: https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
OpenSSL 1.1.1
OSTIF's work on OpenSSL led to a total of 16 recommendations and changes in OpenSSL. Furthermore, reasonable assurance of a secure implementation of the new TLS 1.3 features and changes made to the Pseudo Random Number Generator (PRNG) was gained. Full report: https://ostif.org/the-ostif-and-quarkslab-audit-of-openssl-is-complete/