We are pleased to announce that the KubeVirt Security Audit report has been published, in collaboration with @quarkslab.bsky.social and @ostifofficial.bsky.social Check out our blog post for all the details: kubevirt.io/2025/Announc...

#KubeCon day 1 keynotes: Amir Montaziry from @ostifofficial.bsky.social talking about securing open source projects and an update on the @kubernetes.io audit which I helped out with along with @iainsmart.bsky.social

OSTIF is proud to announce that our audit of @kubevirt.bsky.social is now public! This would not be possible without the contributions of Quarkslab and the Cloud Native Computing Foundation. Read about the work on our blog: ostif.org/kubevirt-aud...

Amir and Derek present Reflections on 10 Years: Celebrating the Open Source Technology Improvement Fund next Thursday, November 6th 13:00 CST. Hear our friends and collaborators in discussion with us about our past, present, and future. RSVP here: luma.com/nudnh5sv

Boo! Publish your threat models! 👻 Does that scare you? Join us Wednesday, Oct 29th at 14:00 CT with @adamshostack.bsky.social, who will be presenting on why transparency isn't something to be frightened of. RSVP to add straight to your calendar: luma.com/6fvp6orm

Should we publish our threat models? I explore a different lens with OSTIF for how transparency can benefit everyone. Oct 29, 14:00 CT 👉 luma.com/6fvp6orm

On November 6th at 13:00 CST, we are hosting "Reflections on 10 Years with OSTIF." Not just a reflection, this is a summation of our past, present, and future. RSVP to tell us your OSTIF experience, join in the celebration, or just to see what special guests we have joining: luma.com/nudnh5sv

This week's blog is "OSTIF's Strategy Plan". No holds barred, it's complete transparency of what our goals for the next 3-5 years are. If you've got 5 minutes to spare on this autumn Friday, you'll be caught up: ostif.org/ostifs-strat...

The @ostifofficial.bsky.social recently completed a security audit of #OpenSSFScorecard. With support from the OpenSSF, this audit covered five core repositories and included threat modelling, manual code review, and fuzz testing. . Read to learn more:🔗 openssf.org/blog/2025/10...

Publish your threat models! Not convinced? I'll be hosting a talk with OSTIF on Oct 29 @ 2pm CT for you to ask me questions. Register now and have your questions, thoughts, and comments ready! luma.com/6fvp6orm

Join us October 29th at 14:00 CST for a meetup with @adamshostack.bsky.social! RSVP here: luma.com/6fvp6orm First Adam will present on threat models (he literally wrote *the* book on the subject) and a Q&A portion will follow. We look forward to him and our community connecting!

🆕 🔐 Cybersecurity isn’t just for CISOs—every leader must frame cyber risk as business risk. LF’s Executive Education equips senior leaders to: 🔹 Turn risk into advantage 🔹 Build resilient teams 🔹 Leverage emerging tech apply now 👉 training.linuxfoundation.org/training/lfe... #CyberRisk

Duck, duck...goose (eggs)! OSTIF is honored to be a five time recipient of DuckDuckGo's Charitable Donations Program. Read about this donation and its impact on us at our blog: ostif.org/five-years-d...

We've got a GNU audit for you! GNU libmicrohttpd2 was audited thanks to @sovereign.tech and ADA Logics. The library underwent a threat modeling practice, fuzzing improvements, and a small cryptography review. Read about it on our blog: ostif.org/gnu-libmicro...

We're baaaccckkkkk... and this time, we have @adamshostack.bsky.social! Join us next month, Oct 29th 14:00 CST, for a meetup on threat modeling: developing them, using them, and publishing them. RSVP to attend: luma.com/6fvp6orm

RTFM they say but if you read the manual and copy code examples from it you may inadvertently introduce vulns in your code 🙀 In April we audited the PHP code. Now we followed up with a review of the code snippets in PHP documentation and found 81 issues 👇 blog.quarkslab.com/security-rev...

Join us in celebrating our first Community Spotlight honorees, David Korczynski and Adam Korczynski! Learn more about these brothers and business partners in our Community Spotlight post: ostif.org/001-2025-com...

Start your workweek with a bit of rumination and OSTIF's latest blog post: "Open Source Summit and OpenSSF Community Day EU 2025 Reflection" ostif.org/ossummit-com...

@openssf.org Community Day aka the big day for us! Amir will participating in a tabletop exercise at 15:40 and Helen will be speaking on our audit of RSTUF at 10:50. Check out the rest of the schedule here: events.linuxfoundation.org/openssf-comm...

Bridging the gap between open source project security and foundations- its what we do. "The Bridge to Improving Security: How OSTIF Helps Foundations" is live now on our blog: ostif.org/ostif-helps-...

thank you to the @openssf.org for the opportunity to chat about our work and mission on "What's in the SOSS?" Listen on your preferred podcasting app: openssf.org/podcast/2025...

Our team recently completed three security audits of Permuto for @chia.net. You can read the full report, including our findings, here: leastauthority.com/blog/audit-o...

We're thrilled to have Amir Montazery, Managing Director for @ostifofficial.bsky.social, presenting "Success Stories in Open Source: Third Party Security Audits" at #AllThingsOpen! 2025.allthingsopen.org/sessions/2-f...

We thought it would be timely to make a statement about our involvement with and position re: @OpenForumEurope EU-STF report. Get our thoughts at the blog: ostif.org/eu-stf-and-o...

Our Managing Director Amir will be speaking at the @aswf.io Open Source Days on Sunday! RSVP at sched.co/25j6n to hear about why "Security Audits Aren't Scary", and how renewable security efforts help projects, foundations, and the open source community!

In partnership with @aswf.io, OSTIF and @shielder.com worked on audits of MaterialX and OpenEXR. Our deepest gratitude for this opportunity to work with incredible maintainers and cool projects such as these- read about them at our blogs: ostif.org/materialx-au..., ostif.org/openexr-audi...

🚨 New Open Source Audit Alert! 🚨 Shielder, with @ostifofficial.bsky.social & ASWF audited OpenEXR and MaterialX: 🔍 11 issues found (1 critical, 3 still to be published) ✔️ Most fixed, others planned 🗣️ ndaprela @smaury.bsky.social @suidpit.bsky.social @thezero.org Full details in the blog post ⬇️🧵

It's possible- our audit of PowSyBl is complete! Completed with auditing by Ada Logics and funding provided by @lfenergy.bsky.social, the work resulted in multiple holistic improvements to project security. Details at our blog: ostif.org/powsybl-audi...

OSTIF, RSTUF, and X-41 D-Sec are presenting on the audit of RSTUF next month in Amsterdam at @openssf.org Community Day! RSVP to add our talk to your schedule at sched.co/25dGk

We “conda” believe it! In collaboration with 7ASecurity and @sovereign.tech, we carried out an audit of conda-forge. Read the details at our blog: ostif.org/conda-forge-...

Happy Anniversary to our audit of CycloneDDS! Released last year, this work was a collab with Alpha Omega, Eclipse Foundation, X41 D-Sec, and CycloneDDS maintainers with OSTIF to create security outcomes. Read the report and visith shareholder blogs at our own blog: ostif.org/cyclndds-aud...

Party on, OSTIF! We toasted in our 10 year anniversary this weekend with a new employee, new merch, and fresh eyes on the next 10 years ahead (also: cheesecake pie). See some pics of the party and read about the rest of our anniversary plans at our blog: ostif.org/10yr-party/

We are erupting with excitement to share our audit of Volcano! This work was completed with support from @cncf.io and auditing done by Ada Logics. It resulted in improvements to fuzz testing and secure by design processes- read about those results and more at ostif.org/volcano-audi...

OSTIF is proud to share the results of our audit of Ruby on Rails. Completed with auditing by X41 D-Sec and engineering support provided by @gitlab.com, this work was possible with funding by the @sovereign.tech. Read more about this audit at our blog: ostif.org/ruby-on-rail...

log4cxx and log4net are audited! Done in collaboration with the @sovereign.tech and carried out by ADA Logics, this security work on two Apache Software Foundation projects was carried out late last year. Read more at ostif.org/log4cxx-log4...

As OSTIF grows our presence in communities and offers an open platform for people through our meetups, it became more pressing to us as a team to create a Code of Conduct to set the expectation of behavior for those we interact with. Read more about the Code: ostif.org/ostif-code-o...

We're pleased to announce the publication of our audits of nghttp3 and ngtcp2! Carried out by X41 D-Sec with funding by @sovereign.tech, the details are available at our blog: ostif.org/nghttp3-ngtc...

Call for meetup proposals! We're looking for 20-30 minute lightning talks with accompanying deck for visual guidance. Simply fill out the form at this Calendly link (calendly.com/helen-ostif/...) pick your date & time, and speak directly to the OSTIF community!

ICYMI: @nadim.computer's meetup from last week about Cure53's Coinbase cryptographic library audit is available to watch on Youtube youtu.be/2wR25jFgPSo?... share with your friends, your mom, and your mom's friends who are into crypto (cash or -graphy)

Starting in 25 minutes!

REMINDER: Real World Cryptography Paris Meetup 4 is happening NEXT WEEK at @Ledger HQ! Great talks on ZK, high assurance crypto and more. Make sure to register on time so we know how much baguette and fromage to get from the caterer: lu.ma/75ykn6t2

Wednesday- you, Nadim Kobeissi (@nadim.computer), and OSTIF's community meeting about Lessons from the Coinbase CB-MPC Cryptographic Library Audit. RSVP here lu.ma/ymr9db3z

Istio's ambient mode was built for security from the ground up. So, it's not surprising that ztunnel has sailed through its first security audit, thanks to Trail of Bits, @ostifofficial.bsky.social and @cncf.io. Read more: istio.io/latest/blog/...

We are proud to share the results of our audit of NATS! The work was done in collaboration with @trailofbits.bsky.social , @synadia.bsky.social , and the @cncf.io - read more details at ostif.org/nats-audit-c...

OSTIF is proud to announce the publication of our audit of @istio.io's ztunnel implementation. This work was done with the Istio product security working group, @trailofbits.bsky.social and the @cncf.io. Read about the results in our blog ostif.org/istio-ztunne...

Join us next Wednesday, April 23rd, for an OSTIF #meetup with @nadim.computer, Senior Applied Cryptography Auditor at Cure53, presenting "Guarding the Gates: Lessons from the Coinbase CB-MPC Cryptography Library Audit". RSVP here to have the meetup added to your calendar- lu.ma/ymr9db3z

Join us next Wednesday, April 23rd, for an OSTIF #meetup with @nadim.computer, Senior Applied Cryptography Auditor at Cure53, presenting "Guarding the Gates: Lessons from the Coinbase CB-MPC Cryptography Library Audit". RSVP here to have the meetup added to your calendar- lu.ma/ymr9db3z

We are pleased to announce the completion of security audit of PHP core! Executed by @quarkslab.bsky.social in partnership with @ostifofficial.bsky.social and commissioned by the @sovereign.tech. Learn more: thephp.foundation/blog/2025/04...

Quarkslab audited PHP-SRC, the open source interpreter of PHP. The security audit, sponsored by @ostifofficial.bsky.social with funding from @sovereign.tech, aimed at strengthening the project's security ahead of the upcoming PHP 8.4 release. Here's what we found: blog.quarkslab.com/security-aud...

We are so excited to announce the publication of our audit of PHP core! This work was made possible through a collaboration between OSTIF, @thephpf.bsky.social, and @quarkslab.bsky.social with funding provided by @sovereign.tech. For the report and further links, check out ostif.org/php-audit-co...