OSTIFJun 9

Yes, OSTIF does more than just audits!

Releasing today is our work on @llvm BOLT binary scanner. Completed thanks to @quarkslab and @sovtechfund the BOLT scanner received custom work to extend its coverage further.

Read about the work and its implications at our blog: https://ostif.org/bolt-security-engagement-complete/

Huge thank you to Kristof Beyls, creator of the BOLT binary scanner.

#OSTIF #Quarkslab #SovereignTechAgency #LLVM #BOLT

Show threadGraham PerrinJun 3

RE: https://mastodon.social/@FreeBSDFoundation/116676767603367392

2026 Open Source Security and Risk Analysis Report – Software Governance in the AI Era – Black Duck Software, Inc.

https://www.blackduck.com/content/dam/black-duck/en-us/reports/rep-ossra.pdf

― a direct link to the freely-available report that's mentioned in the joint statement from Apereo Foundation, Open Source Initiative (OSI), Open Source Technology Improvement Fund (OSTIF), and FreeBSD Foundation.

"The “Open Source Security and Risk Analysis” (OSSRA) report has been the industry’s definitive look at the state of open source code for a decade. Each year, we analyze anonymized findings from commercial codebases audited by the Black Duck Audit Services team, and this provides an unmatched, real-world view of how open source is used—and sometimes misused—across every major industry. This year’s findings document a pivotal moment: The explosion of AI-assisted development has fundamentally altered the risk landscape for software and the baseline for compliance with new regulatory initiatives such as the EU Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA). …"

#AI #CRA #DORA #OSI #OSTIF #FreeBSD #OSSRA

Show threadGraham PerrinJun 2

@cybervegan in fairness to the four signatories, the statement is suitably:

― terse
― professional
― non-aggressive.

I'm not the target audience, but I can see how the statement might grab the attention of individuals and groups who are targeted.

There is, amongst other things, an element of https://xkcd.com/2347/ (xkcd: Dependency) – without explicitly stating "Don't fuck this up.".

Cc @jay_chi @FreeBSDFoundation

#OSI #OSTIF #Apero #FreeBSD #ageattestation

Dependency

xkcd
grahamperrinJun 1

Open source organisations weigh in on age attestation

https://opensource.org/blog/open-source-organizations-weigh-in-on-age-attestation

https://mastodon.social/@FreeBSDFoundation/116676767603367392

The FreeBSD Foundation has joined the Open Source Initiative (OSI), the Apereo Foundation, and the Open Source Technology Improvement Fund (OSTIF) in issuing a joint statement on age-attestation requirements for operating systems.

Cross-posted to Reddit.

Home pages of the four signatories:

https://billboard.bsd.cafe/post/579

Open Source Organizations Weigh in on Age Attestation

The Open Source Initiative (OSI), Apereo Foundation, FreeBSD Foundation, and Open Source Technology Improvement Fund (OSTIF) issued the following statement on age attestation requirements for opera…

Open Source Initiative
OSTIFJun 1

The Open Source Technology Improvement Fund is proud to share the results of our security audit of Scala, executed by a team of three auditors from Quarkslab. We want to thank our very own Derek Zimmer of OSTIF for advocating for this audit for a long time as well!

See the whole blog and report at https://ostif.org/scala-audit-complete/

#OSTIF #Quarkslab #SovereignTechAgency #Scala

OSTIFMay 26

During a security audit of vLLM managed by OSTIF.org, a bug was discovered through manual analysis by a senior security expert at X41 D-Sec.

A lack of input sanitization on host header paths in Starlette leads to bypassing auth with a single character across a huge swath of Python LLM infrastructure.

Update to Starlette 1.0.1 as soon as possible and read more about this vulnerability on https://badhost.org

#OSTIF #BadHost #vLLM #X41DSec

OSTIFMay 12

In 2023, DARPA announced a two-year long competition called the Artificial Intelligence Cyber Challenge (AIxCC), a massive undertaking by dozens of organizations with the goal to safeguard open source software used in critical infrastructure throughout America.

Read about the work on our blog: https://ostif.org/hack-to-the-future/

#OSTIF #DARPA #OpenSSF #OpenSource #AI

OSTIFMay 5

Voila- the results of OSTIF's security audit of Paramiko! Thanks to the contributions of @quarkslab and Alpha-Omega, this project received custom security work reviewing Paramiko’s testing, building and CI systems, and cryptography.

Read about our work on the Python implementation of the SSHv2 protocol at our blog: https://ostif.org/paramiko-audit-complete/

#OSTIF #quarkslab #OpenSSF #paramiko

OSTIFApr 30

Today we proudly share the results of our security audit of LibVLC. With auditing by @trailofbits
and funding provided by the @sovtechfund, LibVLC received scoped security work, custom tools and fixes, and documentation for future security development.

Read more about the work performed on the open source core engine and foundation of VLC media player on our blog: https://ostif.org/libvlc-audit-complete/

#OSTIF #libVLC #TrailofBits #SovereignTechAgency

LibVLC Audit Complete! – OSTIF.org

OSTIFApr 8

The Open Source Technology Improvement Fund is proud to share the results of our security engagement on Developing ECH for OpenSSL (“DEfO”). With the help of @adalogics @7ASecurity and the @sovtechfund, this project received expert security review, testing, and custom documentation contributing to DEfO’s ongoing development and security. Read more about it on our blog:

https://ostif.org/defo-audit-complete/

#OSTIF #DEfO #AdaLogics #7ASecurity #SovereignTechAgency