Voila- the results of OSTIF's security audit of Paramiko! Thanks to the contributions of @quarkslab and Alpha-Omega, this project received custom security work reviewing Paramiko’s testing, building and CI systems, and cryptography.
Read about our work on the Python implementation of the SSHv2 protocol at our blog: https://ostif.org/paramiko-audit-complete/
Today we proudly share the results of our security audit of LibVLC. With auditing by @trailofbits
and funding provided by the @sovtechfund, LibVLC received scoped security work, custom tools and fixes, and documentation for future security development.
Read more about the work performed on the open source core engine and foundation of VLC media player on our blog: https://ostif.org/libvlc-audit-complete/
The Open Source Technology Improvement Fund is proud to share the results of our security engagement on Developing ECH for OpenSSL (“DEfO”). With the help of @adalogics @7ASecurity and the @sovtechfund, this project received expert security review, testing, and custom documentation contributing to DEfO’s ongoing development and security. Read more about it on our blog:
While reflecting on our past 10 years, we revisited vulnerabilities discovered during OSTIF audits. As a result of our work, several hundred bugs a year are discovered on average. With that in mind, our Executive Director Derek Zimmer proposed a new program: a Bug of the Year trophy, given to the individual who finds the best bug published by OSTIF in a calendar year.
We are proud to announce our top 3 bugs of the year on our blog: https://ostif.org/bug-of-the-year-award-2025/
Miss our last OSTIF meetup?
You can catch the recording here of Robin David, Software Security Researcher and Research Lead at Quarkslab, presenting "Bitcoin Core Audit: From Static Review to Fuzzing — Inside Bitcoin’s Testing Infrastructure".
Don't miss tomorrow's OSTIF meetup with Robin David, Software Security Researcher and Research Lead at Quarkslab, presenting "Bitcoin Core Audit: From Static Review to Fuzzing — Inside Bitcoin’s Testing Infrastructure".
OSTIF is proud to share the results of our security audit of Stork.
Stork is an open source project developed by the Internet Systems Consortium (ISC) that acts as an administrative interface for monitoring, maintaining, and surveilling Kea servers.
With the help of 7ASecurity, this project received custom security testing, documentation, and tooling contributing to Stork’s ongoing security and development work.
Full post here: https://ostif.org/stork-audit-complete/
We, like everyone else, couldn't look away from the Veritasium video on the XZ vulnerability.
While there is a lot to address, an important point of this story sticks out to us at OSTIF- that it was best practices, the secondary review of code before a push, that caught this before disaster struck.
Watch the video here https://www.youtube.com/watch?v=aoag03mSuXQ to learn more details about this incredible story of open source security and community.
For the past 4 years, OSTIF has run a Managed Audit Program for the CNCF. We’ve audited 33 projects in that time, working with maintainers all over the world to reinforce the security health of cloud native open source for billions of end users.
Read the report here: https://ostif.org/cncfmanagedprogramreport2025/
Miss yesterday's amazing audit meetup "High Assurance Cryptography and the Ethics of Disclosure" w/ Nadim Kobeissi?
Catch the video here https://www.youtube.com/watch?v=TdOXza1-M_4
Make sure you attend the live events if you want to participate in the Q&A, as those aren't recorded!
Also make sure you're subscribed to our Luma calendar for notifications of any new meetups! https://luma.com/ostif-meetups
OSTIF