OSTIF Official

Do you have an extra 5 minutes today you want to spend learning about open source security? OSTIF is proud to share our 2024 Annual Report today, covering the 60 open source security engagements we directed last year. See links 👇 to read about our efforts!

Kairo Araujo from RSTUF, Eric Sesterhenn from @X41Sec, and Helen from OSTIF are 1 month away from presenting at @openssf Community Day in Amsterdam! RSVP to “Securing RSTUF to Secure Your Supply Chain” at sched.co/25dGk

We “conda” believe it- our audit of conda-forge is released! Read about the work on our blog: ostif.org/conda-forge-au… Thank you to @7aSecurity for performing the auditing and @sovtechagency for funding this crucial engagement

🔊 New 7ASecurity public #securityaudit report 🔒 #CondaForge & @OSTIFofficial enhance the ecosystem security with verified fixes Feedback is welcome, enjoy! 🌐 7asecurity.com/blog/2025/07/c… #CyberSecurity #PenTesting #OpenSourceSecurity #SoftwareSecurity #infosec

Happy Anniversary to our audit of CycloneDDS! Released last year, this work was a collab with @AlphaOmegaOSS, Eclipse Foundation , @X41Sec, and CycloneDDS maintainers with OSTIF to create security outcomes. Read the report at our blog: ostif.org/cyclndds-audit…

Party on, OSTIF! We toasted in our 10 year anniversary this weekend with a new employee, new merch, and fresh eyes on the next 10 years ahead (also: cheesecake pie). See some pics of the party and read about the rest of our anniversary plans at our blog: ostif.org/10yr-party/

We lava good audit- and Volcano definitely was one! Completed with support from @CloudNativeFdn and auditing by @ADALogics, this work resulted in improvements to fuzzing and secure by design processes. Read more at our blog: ostif.org/volcano-audit-…

OSTIF is proud to announce publication of our audit of Ruby on Rails, done in collaboration with @X41Sec, @gitlab (esp. @joernchen), and @sovtechagency. Read more about the work done at ostif.org/ruby-on-rails-…

We are proud to share the results of our audits of nghttp3 and ngtcp2! Carried out by @X41Sec with funding by @sovtechagency, the details of the resulting work are available on our blog: ostif.org/nghttp3-ngtcp2…

The recording is up now at youtube.com/watch?v=Dq_KVL…

Call for Meetups! We're looking for 20-30 minute lightning talks with accompanying deck for visual guidance. Simply fill out the form at this Calendly link (calendly.com/helen-ostif/su…) pick your date & time, and speak directly to the OSTIF community!

ICYMI: @kaepora's OSTIF meetup from April 23rd is available to watch back on YouTube youtu.be/2wR25jFgPSo?si… tell your friends, tell your mom, tell your mom's friends who are into crypto to watch & share!

Starting in 25 minutes!

Wednesday- you, Nadim Kobeissi (@kaepora), and OSTIF's community meeting about Lessons from the Coinbase CB-MPC Cryptographic Library Audit. RSVP here lu.ma/ymr9db3z

OSTIF is proud to announce the publication of our audit of @IstioMesh's ztunnel implementation. This work was done with the Istio product security working group, @trailofbits, and the @CloudNativeFdn. Read about the results in our blog ostif.org/istio-ztunnel-…

Join us next Wednesday, April 23rd with @kaepora Nadim Kobeissi, Senior Applied Cryptography Auditor at @cure53berlin presenting "Guarding the Gates: Lessons from the Coinbase CB-MPC Cryptography Library Audit". RSVP at our lu.ma page- lu.ma/ymr9db3z

We are so excited to announce the publication of our audit of PHP core! This work was a collaboration between our organization, @ThePHPF, and @quarkslab, with funding provided by the @sovtechagency. For the report, high points, and further links ostif.org/php-audit-comp…

We are pleased to announce the completion of security audit of PHP core! Executed by @quarkslab in partnership with @OSTIFofficial and commissioned by the @sovtechagency. Learn more: thephp.foundation/blog/2025/04/1…

Quarkslab audited PHP-SRC, the open source interpreter of PHP. The security audit, sponsored by @OSTIFofficial with funding from @sovtechagency, aimed at strengthening the project's security ahead of the upcoming PHP 8.4 release. Here is what we found: blog.quarkslab.com/security-audit…