Open Source Technology Improvement Fund, Inc (OSTIF) the non-profit responsible for thousands of hours of security improvement work and hundreds of vulnerability patches across the open source ecosystem.
In partnership with over 100 organizations, open source projects, and advocates, OSTIF is currently working with industry partners to help open source projects with their security needs.
As of October 2022, OSTIF launched a pilot program to offer open source projects free security help.
Resources and Services Currently Being Offered:
- Security Review - OSTIF can mobilize a team of security experts to review a project (general design review; code quality, defensive programming, and best practices assessment) to identify and help fix vulnerabilities in the code.
- Fuzzing & Continuous Monitoring - OSTIF can mobilize a team of fuzzing experts to help projects build fuzzers and integrate to OSSFuzz which provides continuous fuzzing for open source software.
Open Source Project Maintainers & Contributors can make up to $10,000 for participating in the pilot. OSTIF made sure to include a mechanism for compensating projects and their maintainer/contributor base for their time and efforts in working with us.
Disclaimer: Information on the Pilot Program and results are high level final implementation and verification of fixes.
The Pilot Program took place from October 2022 - February 2023 and resulted in a number of security improvements to four open source projects. The improvements included increased fuzzing coverage by an average of 2-3x and the finding and fixing of approximately 10 security bugs. Project Maintainers and Contributors who participated in the Pilot Program received an average of $2,100 in remunerations for participating!