Stats
20,000 Hours of Coordinated Security Review
800 Security Vulnerabilities Found and Patched
66 CVEs
200+ Severe Bugs Found and Patched (bugs that would have a CVSS score of “high” or “critical” rating)
500+ tools added to projects
100+ projects audited
$3,000,000+ dollars raised for security
Annual Reports
Audits
The following is a list of engagements organized by OSTIF. PDF versions of the full report(s) can be found at the bottom of the page linked under deliverable.
| Product | Review Date | Result | Deliverable | |
|---|---|---|---|---|
| 25 AI/LLM Projects | December 2025 | Manual Code Review | 25 AI/LLM Review Complete! | |
| Thunderbird-Send | December 2025 | Manual Code Review, Automated Testing | Thunderbird-Send Audit Complete! | |
| Bitcoin Core | November 2025 | Manual Code Review, Automated Testing | Bitcoin Core Audit Complete! | |
| KubeVirt | November 2025 | Threat Model, Manual Code Review, Automated Testing | KubeVirt Audit Complete! | |
| OpenSSF Scorecard | October 2025 | Threat Model, Manual Code Review, Automated Testing | OpenSSF Scorecard Audit Complete! | |
| GNU Libmicrohttpd2 | September 2025 | Threat Model, Manual Code Review, Automated Testing | GNU Libmicrohttpd2 Audit Complete! | |
| PHP Documentation | September 2025 | Documentation Audit | PHP Documentation Audit Complete! | |
| MaterialX | July 2025 | Threat Model, Manual Code Review, Automated Testing | MaterialX Audit Complete! | |
| OpenEXR | July 2025 | Threat Model, Manual Code Review, Automated Testing | OpenEXR Audit Complete! | |
| PowSyBl | July 2025 | Threat Model, Manual Code Review, Automated Testing | PowSyBl Audit Complete! | |
| conda-forge | July 2025 | Threat Model, Manual Code Review, Automated Testing | conda-forge Audit Complete! | |
| Volcano | June 2025 | Threat Model, Manual Code Review, Automated Testing | Volcano Audit Complete! | |
| Ruby on Rails | June 2025 | Threat Model, Manual Code Review, Automated Testing | Ruby On Rails Audit Complete! | |
| Log4Net & Log4CXX | June 2025 | Threat Model, Manual Code Review, Automated Testing | Log4Net & Log4Cxx Audits Complete! | |
| nghttp3 & nghtcp2 | May 2025 | Manual Code Review, Automated Testing | nghttp3 & nghtcp2 Audits Complete! | |
| NATS | April 2025 | Manual Code Review, Automated Testing | NATS Audit Complete! | |
| Istio-Ztunnel | April 2025 | Manual Code Review, Automated Testing | Istio ztunnel Audit Complete! | |
| PHP | April 2025 | Manual Code Review, Automated Testing | PHP Audit Complete! | |
| RSTUF | March 2025 | Manual Code Review, Automated Testing | RSTUF Audit Complete! | |
| Logback | February 2025 | Manual Code Review, Automated Testing | Logback Audit Complete! | |
| Linkerd | February 2025 | Manual Code Review, Automated Testing | Linkerd Audit Complete! | |
| HickoryDNS | February 2025 | Manual Code Review, Automated Testing | HickoryDNS Audit Complete! | |
| Notary Project Cryptography | January 2025 | Manual Code Review, Automated Testing | Notary Project Cryptography Audit Complete! | |
| Karmada | January 2025 | Threat Model, Manual Code Review, Automated Testing | Karmada Audit Complete! | |
| Backstage | December 2024 | Manual Code Review, Automated Testing | Backstage Audit Complete! | |
| Node.js Fuzzing | October 2024 | Manual Code Review, Automated Testing | Node.js Fuzzing Audit Complete! | |
| Express | October 2024 | Threat Model, Manual Code Review, Automated Testing | Express Audit Complete! | |
| OperatorFabric | September 2024 | Threat Model, Manual Code Review, Automated Testing | OperatorFabric Audit Complete! | |
| SEAPATH | September 2024 | Threat Model, Manual Code Review, Automated Testing | SEAPATH Audit Complete! | |
| LitmusChaos | August 2024 | Threat Model, Manual Code Review, Automated Testing | LitmusChaos Audit Complete! | |
| Fastify | August 2024 | Threat Model, Manual Code Review, Automated Testing | Fastify Audit Complete! | |
| Cloud Native Buildpacks | July 2024 | Threat Model, Manual Code Review, Automated Testing | Cloud Native Buildpacks Audit Complete! | |
| Apache Commons | July 2024 | Manual Code Review, Automated Testing | Apache Commons Audit Complete! | |
| CycloneDDS | June 2024 | Manual Code Review, Automated Testing | CycloneDDS Audit Complete! | |
| Temurin | June 2024 | Manual Code Review, Automated Testing | Temurin Audit Complete! | |
| OpenSSL | June 2024 | Manual Code Review, Automated Testing | OpenSSL Audit Complete! | |
| Kuksa | May 2024 | Threat Model, Manual Code Review, Automated Testing | Kuksa Audit Complete! | |
| Cloud Custodian | April 2024 | Manual Code Review, Automated Testing, Supply Chain Security Analysis | CloudCustodian Audit Complete! | |
| Bref | March 2024 | Manual Code Review, Automated Testing | bref Audit Complete! | |
| cert-manager | March 2024 | Threat Modeling, Manual Code Review, Automated Testing, SLSA | cert-manager Audit Complete! | |
| llvm | March 2024 | Manual Review, Fuzzing Setup and Improvements | LLVM Audit Complete! | |
| cURL HTTP/3 | February 2024 | Manual Review, Fuzzing Improvements | cURL Audit Complete! | |
| Jackson-Dataformats and Jackson-Datatypes | February 2024 | Manual Review, Threat Modeling, Fuzzing Improvements | Audit of Jackson-Dataformats and Jackson-Datatypes Complete | |
| php TUF | January 2024 | Security Audit, Threat Modeling, Tooling Improvements | PHP-TUF Audit Complete! | |
| Amazon Web Services & Eclipse Foundation Security Audit Impact Report | Calendar Year 2023 | Aggregate Results | Link to Post and Report | |
| cubeFS | January 2024 | Threat Modeling, Manual Code Review, Automated Testing, SLSA | CubeFS Security Audit is Complete | |
| 2023 CNCF Audit Impact Report | Calendar Year 2023 | Aggregate Results | 2023 Cloud Native Computing Foundation Audit Impact Report | |
| 50th Audit Milestone | YTD | Top Vulnerability Types Found, Lessons Learned, Common Auditing Mistakes | 50th Audit Milestone | |
| 2023 Annual Report | Calendar Year 2023 | Aggregate Results | 2023 OSTIF Annual Report | |
| nvm | December 2023 | Threat Modeling, Manual Code Review, Automated Testing, SLSA | nvm Security Audit Complete | |
| Knative | November 2023 | Threat Modeling, Manual Code Review, Automated Testing, SLSA | Knative Security Audit Complete | |
| Kyverno | November 2023 | Threat Modeling, Manual Code Review, Automated Testing, SLSA | Kyverno Security Audit Complete | |
| Mosquitto | November 2023 | Threat Modeling, Manual Code Review, Automated Testing | The Buzz about Mosquitto ‘s Security Audit! | |
| flux | November 2023 | Manual Code Review, Automated Testing | In-Flux-ible on bugs- Flux undergoes Security Audit with OSTIF and Trail of Bits | |
| rustVMM | November 2023 | Manual Code Review | RustVMM Security Audit with OSTIF is Complete! | |
| Jetty | October 2023 | Manual Code Review, Threat Model, Fuzzing and Static Analysis Tool Implementation | OSTIF Has Completed an Audit of Jetty! | |
| wasmCloud | October 2023 | Manual Code Review, Fuzzing | OSTIF Has Completed A Security Audit of wasmCloud! | |
| OpenSearch | September 2023 | Manual Code Review | Bugs? Search Me!- OpenSearch Security Audit Completed! | |
| JKube | September 2023 | Threat Modeling, Manual Code Review | jKube Security Audit Completed! | |
| OSTIF’s Security Expertise | September 2023 | Visual Aggregate of OSTIF’s Work | View Here | |
| Dragonfly | September 2023 | Security Review, Fuzzing Improvements, Threat Model | OSTIF’s Favorite Bug- DragonFly! | |
| Dapr | September 2023 | Security Review, Fuzzing Improvements, Supply Chain Assessment, Threat Model | Dampening Vulnerabilities in Dapr: Security Audit of Dapr | |
| Envoy Proxy | August 2023 | Bug Triage and Fixes, Fuzzing Performance Improvements | OSTIF collaborates with the Envoy Team to further improve security posture. | |
| Crossplane | July 2023 | Security Review, Fuzzing Improvements, Supply Chain Assessment, Threat Model | OSTIF completes Security Audit of Crossplane-improved across the board! | |
| Mozilla K-9 | July 2023 | Security Review, Supply Chain Assessment, Threat Model | OSTIF’s Security Audit of K-9 Mail is Complete! | |
| Equinox p2 | July 2023 | Security Review, Tooling Review | OSTIF’s Audit of Equinox P2 is Complete! | |
| libjpegturbo | July 2023 | Security Review | Our Audit of libjpeg-turbo is Complete! | |
| Notation | July 2023 | Security Review, Fuzzing Improvements, SLSA Assessment | OSTIF’s Security Audit of Notation-duly Noted! | |
| go-tuf | June 2023 | Security Review | go-tuf on bugs! OSTIF’s audit of go-tuf! | |
| Vitess | May 2023 | Security Review, Fuzzing Improvements | Our Audit of Vitess is Complete! | |
| in-toto | May 2023 | Security Review | Our Audit of in-toto is Complete! | |
| C-ares | May 2023 | Security Review, Fuzzing Improvements | Our Audit of c-ares is Complete! | |
| Libcap | May 2023 | Security Review, Fuzzing Improvements | Our Audit of Libcap is Complete! | |
| SimpleJSON | April 2023 | Security Review, Fuzzing Improvements | Our Audit of SimpleJSON is Complete! | |
| 2022 OSTIF Annual Report | March 2023 | Security Reviews, Threat Modeling, Fuzzing Improvements | The 2022 OSTIF Annual Report | |
| Falco | March 2023 | Security Review, Threat Modeling, Fuzzing Improvements | Our Review of Falco is Complete! | |
| 2022 CNCF Impact Report | July 2022 – February 2023 | Security Reviews, Threat Models, Fuzzing Improvements, SLSA Assessments | The OSTIF Impact Report for the Cloud Native Computing Foundation | |
| git Software Supply Chain Audit | February 2023 | SLSA Assessment | Our Software Supply Chain Audit of Git for Windows is Complete! | |
| Cilium | February 2023 | Security Review, Threat Model, Fuzzing Improvements, SLSA Assessment | Our Audit of Cilium is Complete! | |
| KEDA | February 2023 | Security Review, Threat Modeling | Our Audit of Kubernetes Event Driven Autoscaling (KEDA) is Complete | |
| Independent Security Audit Impact Report | February 2023 | Security Reviews, Threat Models, Tooling Improvements | The OSTIF Independent Security Audit Impact Report | |
| Istio | January 2023 | Security Review, Threat Model, Fuzzing Improvements, SLSA Assessment | The Audit of Istio is Complete! | |
| Git | January 2023 | Security Review, Threat Model | The Audit of Git is Complete! | |
| cURL | October 2022 | Security Review, Threat Model | Results of curl Security Audit. | |
| CloudEvents | September 2022 | Security Review | Results of the CloudEvents Security Assessment. | |
| Jackson-Core and Jackson-Databind | August 2022 | Security Review, Threat Model, Fuzzing Suite Update | Our Audits of Jackson-Core and Jackson-Databind are Complete. | |
| Python-TUF | September 2022 | Security Review | Our Audit of Python-TUF is Complete. Multiple Issues Found and Fixed. | |
| Backstage | April – August 2022 | Security Review, Threat Model | The OSTIF Audit of Backstage with X41 D-Sec is Complete! | |
| CNCF Impact Report | November 2021 – July 2022 | Security Reviews & Associated Work | The Cloud Native Computing Foundation and OSTIF Impact Report. | |
| slf4j | April 2022 | Security Review, Threat Model, Supply Chain Security Review | Our Audit of SLF4J is Complete! | |
| sigstore | May 2022 | Security Review, Threat Model | Our Audit of sigstore is complete. High risk vulnerability found and fixed. | |
| Argo | April 2022 | Security Review, Threat Model | Our Audit of Argo is Complete. Critical and High Severity Issues Found and Fixed | |
| KubeEdge | July 2022 | Security Review, Threat Model, Supply Chain Security Assessment | Our Audit of KubeEdge is Complete. Multiple Security Issues Found and Fixed | |
| CRI-O | June 2022 | Security Review, Threat Model, Supply Chain Security Assessment | Our Audit of CRI-O is Complete. High Severity Issues Found and Fixed | |
| Flux | September 2021 | Security Review | Our Audit of Flux2 is Complete | |
| Linux Kernel | April 2021 | Policy Review | A Review of the Linux Kernel’s Release Signing and Key Management Policies | |
| Linux Kernel | January 2021 | Policy Review | A Review of the Linux Kernel’s Vulnerability Reporting and Remediation | |
| COVID Shield | October 2020 | Security Review, Threat Model | The Linux Foundation Public Health Initiative Sponsored the Audit of COVID Exposure Notification Apps. | |
| COVID Green | October 2020 | Security Review, Threat Model | The Linux Foundation Public Health Initiative Sponsored the Audit of COVID Exposure Notification Apps. | |
| CLSAG | July 2020 | Security Review | The OSTIF Audit of Monero CLSAG is Complete! | |
| Unbound | December 2019 | Security Review | Our Audit of Unbound DNS by X41 D-Sec | |
| RandomX | August 2019 | Security Review | Four Audits of RandomX for Monero and Arweave have been Completed | |
| OpenSSL | January 2019 | Security Review | The OSTIF and Quarkslab Audit of OpenSSL is Complete | |
| Monero Bulletproofs | October 2018 | Security Review | The QuarksLab and Kudelski Security audits of Monero Bulletproofs are Complete | |
| Monero Bulletproofs | July 2018 | Security Review | The QuarksLab and Kudelski Security audits of Monero Bulletproofs are Complete | |
| OpenSSL PRNG | September 2018 | Security Review | Our Review of the OpenSSL 1.1.1 Random Number Generation Update | |
| OpenVPN | May 2017 | Security Review | The OpenVPN 2.4.0 Audit by OSTIF and QuarksLab Results | |
| Veracrypt | October 2016 | Security Review | The VeraCrypt Audit Results |