# Key Metrics **200+** Severe Bugs Found and Patched (bugs that would have a CVSS score of “high” or “critical” rating) ****20,000+**** Hours of Coordinated Security Review **750+** Security Vulnerabilities Found and Patched ### The following is a list of engagements organized by OSTIF. PDF versions of the full report(s) can be found at the bottom of the page linked under deliverable. | Product | Review Date | Result | Deliverable || |:-------------------:|:--------------:|:-----------------------------:|:----------------------------------------------------------------------------------------------------------------------------:|---| | OperatorFabric | September 2024 | Threat Model, Manual Code Review, Automated Testing | [OperatorFabric Audit Complete!](https://ostif.org/operatorfabric-audit-complete/) | | SEAPATH | September 2024 | Threat Model, Manual Code Review, Automated Testing | [SEAPATH Audit Complete!](https://ostif.org/seapath-audit-complete/) | | LitmusChaos | August 2024 | Threat Model, Manual Code Review, Automated Testing | [LitmusChaos Audit Complete!](https://ostif.org/litmuschaos-audit-complete/) | | Fastify | August 2024 | Threat Model, Manual Code Review, Automated Testing | [Fastify Audit Complete!](https://ostif.org/fastify-audit-complete/) | | Cloud Native Buildpacks | July 2024 | Threat Model, Manual Code Review, Automated Testing | [Cloud Native Buildpacks Audit Complete!](https://ostif.org/buildpacks-audit-complete/) | | Apache Commons | July 2024 | Manual Code Review, Automated Testing | [Apache Commons Audit Complete!](https://ostif.org/apachec-audit-complete/) | | CycloneDDS | June 2024 | Manual Code Review, Automated Testing | [CycloneDDS Audit Complete!](https://ostif.org/cyclndds-audit-complete/) | | Temurin | June 2024 | Manual Code Review, Automated Testing | [Temurin Audit Complete!](https://ostif.org/temurin-audit-complete/) | | OpenSSL | June 2024 | Manual Code Review, Automated Testing | [OpenSSL Audit Complete!](https://ostif.org/openssl-audit-complete/) | | Kuksa | May 2024 | Threat Model, Manual Code Review, Automated Testing | [Kuksa Audit Complete!](https://ostif.org/kuksa-audit-complete/) | | Cloud Custodian | April 2024 | Manual Code Review, Automated Testing, Supply Chain Security Analysis | [CloudCustodian Audit Complete!](https://ostif.org/cc-audit-complete/) | | Bref | March 2024 | Manual Code Review, Automated Testing | [bref Audit Complete!](https://ostif.org/bref-audit-complete/) | | cert-manager | March 2024 | Threat Modeling, Manual Code Review, Automated Testing, SLSA | [cert-manager Audit Complete!](https://ostif.org/cert-manager-audit-complete/) | | llvm | March 2024 | Manual Review, Fuzzing Setup and Improvements | [LLVM Audit Complete!](https://ostif.org/llvm-audit-complete/) | | cURL HTTP/3 | February 2024 | Manual Review, Fuzzing Improvements | [cURL Audit Complete!](https://ostif.org/curl-audit-complete/) | | Jackson-Dataformats and Jackson-Datatypes | February 2024 | Manual Review, Threat Modeling, Fuzzing Improvements | [Audit of Jackson-Dataformats and Jackson-Datatypes Complete](https://ostif.org/dataformatsdatatypes-audit-complete/) | | php TUF | January 2024 | Security Audit, Threat Modeling, Tooling Improvements | [PHP-TUF Audit Complete!](https://ostif.org/php-tuf-audit-complete/) | | Amazon Web Services & Eclipse Foundation Security Audit Impact Report | Calendar Year 2023 | Aggregate Results | [Link to Post and Report](https://ostif.org/aws-ec-audit-report-2023/) | | cubeFS | January 2024 | Threat Modeling, Manual Code Review, Automated Testing, SLSA | [CubeFS Security Audit is Complete](https://ostif.org/cubefs-audit-complete/) | | 2023 CNCF Audit Impact Report | Calendar Year 2023 | Aggregate Results | [2023 Cloud Native Computing Foundation Audit Impact Report](https://ostif.org/2023-cloud-native-computing-foundation-audit-impact-report/) | | 50th Audit Milestone | YTD | Top Vulnerability Types Found, Lessons Learned, Common Auditing Mistakes | [50th Audit Milestone](https://ostif.org/50th-audit-milestone/) | | 2023 Annual Report | Calendar Year 2023 | Aggregate Results | [2023 OSTIF Annual Report](https://ostif.org/2023annualreport/) | | nvm | December 2023 | Threat Modeling, Manual Code Review, Automated Testing, SLSA | [nvm Security Audit Complete](https://ostif.org/nvm-audit-complete/) | | Knative | November 2023 | Threat Modeling, Manual Code Review, Automated Testing, SLSA | [Knative Security Audit Complete](https://ostif.org/knative-audit-complete/) | Kyverno | November 2023 | Threat Modeling, Manual Code Review, Automated Testing, SLSA | [Kyverno Security Audit Complete](https://ostif.org/kyverno-audit-complete/) | Mosquitto | November 2023 | Threat Modeling, Manual Code Review, Automated Testing | [The Buzz about Mosquitto ‘s Security Audit!](https://ostif.org/mosquitto-security-audit/) | | flux | November 2023 | Manual Code Review, Automated Testing | [In-Flux-ible on bugs- Flux undergoes Security Audit with OSTIF and Trail of Bits](https://ostif.org/flux-audit-complete/) | rustVMM | November 2023 | Manual Code Review | [RustVMM Security Audit with OSTIF is Complete!](https://ostif.org/rustvmm-audit-complete/) | Jetty | October 2023 | Manual Code Review, Threat Model, Fuzzing and Static Analysis Tool Implementation | [OSTIF Has Completed an Audit of Jetty!](https://ostif.org/ostif-has-completed-an-audit-of-jetty/) | | wasmCloud | October 2023 | Manual Code Review, Fuzzing | [OSTIF Has Completed A Security Audit of wasmCloud!](https://ostif.org/ostif-has-completed-a-security-audit-of-wasmcloud/) | | OpenSearch | September 2023 | Manual Code Review | [Bugs? Search Me!- OpenSearch Security Audit Completed!](https://ostif.org/opensearch-audit/) | | JKube | September 2023 | Threat Modeling, Manual Code Review | [jKube Security Audit Completed!](https://ostif.org/jkube-audit/) | | OSTIF's Security Expertise | September 2023 | Visual Aggregate of OSTIF's Work | [View Here](https://drive.google.com/file/d/1pqQKfhpbiZ38mQe5Qufig1_Z7ig20V8u/view?usp=sharing) | | Dragonfly | September 2023 | Security Review, Fuzzing Improvements, Threat Model | [OSTIF’s Favorite Bug- DragonFly!](https://ostif.org/dragonfly-audit/) | | Dapr | September 2023 | Security Review, Fuzzing Improvements, Supply Chain Assessment, Threat Model | [Dampening Vulnerabilities in Dapr: Security Audit of Dapr](https://ostif.org/dapr-audit/) | | Envoy Proxy | August 2023 | Bug Triage and Fixes, Fuzzing Performance Improvements |[OSTIF collaborates with the Envoy Team to further improve security posture.](https://ostif.org/envoy-security-audit/) | | Crossplane | July 2023 | Security Review, Fuzzing Improvements, Supply Chain Assessment, Threat Model |[OSTIF completes Security Audit of Crossplane-improved across the board!](https://ostif.org/crossplane-audit-complete/) | | Mozilla K-9 | July 2023 | Security Review, Supply Chain Assessment, Threat Model |[OSTIF’s Security Audit of K-9 Mail is Complete!](https://ostif.org/k-9-mail-audit/) | | Equinox p2 | July 2023 | Security Review, Tooling Review |[OSTIF’s Audit of Equinox P2 is Complete!](https://ostif.org/2023-15/) | | libjpegturbo | July 2023 | Security Review |[Our Audit of libjpeg-turbo is Complete!](https://ostif.org/our-audit-of-libjpeg-turbo-is-complete/) | | Notation | July 2023 | Security Review, Fuzzing Improvements, SLSA Assessment |[OSTIF’s Security Audit of Notation-duly Noted!](https://ostif.org/2023-14/) | | go-tuf | June 2023 | Security Review |[go-tuf on bugs! OSTIF’s audit of go-tuf!](https://ostif.org/go-tuf-on-bugs-ostifs-audit-of-go-tuf/) | | Vitess | May 2023 | Security Review, Fuzzing Improvements |[Our Audit of Vitess is Complete!](https://ostif.org/our-audit-of-vitess-is-complete/) | | in-toto | May 2023 | Security Review |[Our Audit of in-toto is Complete!](https://ostif.org/our-audit-of-in-toto-is-complete/) | | C-ares | May 2023 | Security Review, Fuzzing Improvements |[Our Audit of c-ares is Complete!](https://ostif.org/our-audit-of-c-ares-is-complete/) | | Libcap | May 2023 | Security Review, Fuzzing Improvements |[Our Audit of Libcap is Complete!](https://ostif.org/our-audit-of-libcap-is-complete/) | | SimpleJSON | April 2023 | Security Review, Fuzzing Improvements |[Our Audit of SimpleJSON is Complete!](https://ostif.org/our-audit-of-simplejson-is-complete/) | | 2022 OSTIF Annual Report | March 2023 | Security Reviews, Threat Modeling, Fuzzing Improvements |[The 2022 OSTIF Annual Report](https://ostif.org/the-ostif-2022-annual-report/) | | Falco | March 2023 | Security Review, Threat Modeling, Fuzzing Improvements |[Our Review of Falco is Complete!](https://ostif.org/our-review-of-falco-is-complete/) | | 2022 CNCF Impact Report | July 2022 - February 2023 | Security Reviews, Threat Models, Fuzzing Improvements, SLSA Assessments |[The OSTIF Impact Report for the Cloud Native Computing Foundation](https://ostif.org/the-ostif-impact-report-for-the-cloud-native-computing-foundation/) | | git Software Supply Chain Audit | February 2023 | SLSA Assessment |[Our Software Supply Chain Audit of Git for Windows is Complete!](https://ostif.org/our-software-supply-chain-audit-of-git-for-windows-is-complete/) | | Cilium | February 2023 | Security Review, Threat Model, Fuzzing Improvements, SLSA Assessment |[Our Audit of Cilium is Complete!](https://ostif.org/our-audit-of-cilium-is-complete/) | | KEDA | February 2023 | Security Review, Threat Modeling |[Our Audit of Kubernetes Event Driven Autoscaling (KEDA) is Complete](https://ostif.org/our-audit-of-kubernetes-event-driven-autoscaling-keda-is-complete/) | | Independent Security Audit Impact Report | February 2023 | Security Reviews, Threat Models, Tooling Improvements |[The OSTIF Independent Security Audit Impact Report](https://ostif.org/the-ostif-independent-security-audit-impact-report/) | | Istio | January 2023 | Security Review, Threat Model, Fuzzing Improvements, SLSA Assessment |[The Audit of Istio is Complete!](https://ostif.org/the-audit-of-istio-is-complete/) | | Git | January 2023 | Security Review, Threat Model |[The Audit of Git is Complete!](https://ostif.org/the-audit-of-git-is-complete/) | | cURL | October 2022 | Security Review, Threat Model |[Results of curl Security Audit.](https://ostif.org/the-ostif-audit-of-curl-with-trail-of-bits-is-complete/) | | CloudEvents | September 2022 | Security Review | [Results of the CloudEvents Security Assessment.](https://ostif.org/results-of-the-cloudevents-security-assessment/) | | Jackson-Core and Jackson-Databind | August 2022 | Security Review, Threat Model, Fuzzing Suite Update | [Our Audits of Jackson-Core and Jackson-Databind are Complete.](https://ostif.org/our-audits-of-jackson-core-and-jackson-databind-are-complete/) | | Python-TUF | September 2022 | Security Review | [Our Audit of Python-TUF is Complete. Multiple Issues Found and Fixed.](https://ostif.org/our-audit-of-python-tuf-is-complete-multiple-issues-found-and-fixed/) | | Backstage | April - August 2022 | Security Review, Threat Model | [The OSTIF Audit of Backstage with X41 D-Sec is Complete!](https://ostif.org/the-ostif-audit-of-backstage-with-x41-d-sec-is-complete/) | | CNCF Impact Report | November 2021 - July 2022 | Security Reviews & Associated Work | [The Cloud Native Computing Foundation and OSTIF Impact Report.](https://ostif.org/the-cloud-native-computing-foundation-and-ostif-impact-report/) | | slf4j | April 2022 | Security Review, Threat Model, Supply Chain Security Review | [Our Audit of SLF4J is Complete!](https://ostif.org/our-audit-of-slf4j-is-complete/) | | sigstore | May 2022 | Security Review, Threat Model | [Our Audit of sigstore is complete. High risk vulnerability found and fixed.](https://ostif.org/our-audit-of-sigstore-is-complete-high-risk-vulnerability-found-and-fixed/) | | Argo | April 2022 | Security Review, Threat Model | [Our Audit of Argo is Complete. Critical and High Severity Issues Found and Fixed](https://ostif.org/our-audit-of-argo-is-complete-critical-and-high-severity-security-issues-found-and-fixed/) | | | KubeEdge | July 2022 | Security Review, Threat Model, Supply Chain Security Assessment | [Our Audit of KubeEdge is Complete. Multiple Security Issues Found and Fixed](https://ostif.org/our-audit-of-kubeedge-is-complete-multiple-security-issues-found-and-fixed/) | | CRI-O | June 2022 | Security Review, Threat Model, Supply Chain Security Assessment | [Our Audit of CRI-O is Complete. High Severity Issues Found and Fixed](https://ostif.org/our-audit-of-cri-o-is-complete-high-severity-issues-found-and-fixed/) | | | Flux | September 2021 | Security Review | [Our Audit of Flux2 is Complete](https://ostif.org/our-audit-of-flux2-is-complete/) | | | Linux Kernel | April 2021 | Policy Review | [A Review of the Linux Kernel’s Release Signing and Key Management Policies](https://ostif.org/a-review-of-the-linux-kernels-release-signing-and-key-management-policies/) | | | Linux Kernel | January 2021 | Policy Review | [A Review of the Linux Kernel’s Vulnerability Reporting and Remediation](https://ostif.org/a-review-of-the-linux-kernels-vulnerability-reporting-and-remediation/) | | | COVID Shield | October 2020 | Security Review, Threat Model | [The Linux Foundation Public Health Initiative Sponsored the Audit of COVID Exposure Notification Apps.](https://ostif.org/the-linux-foundation-public-health-initiative-sponsored-the-audit-of-covid-exposure-notification-apps-here-are-the-results/) | | | COVID Green | October 2020 | Security Review, Threat Model | [The Linux Foundation Public Health Initiative Sponsored the Audit of COVID Exposure Notification Apps.](https://ostif.org/the-linux-foundation-public-health-initiative-sponsored-the-audit-of-covid-exposure-notification-apps-here-are-the-results/) | | | CLSAG | July 2020 | Security Review | [The OSTIF Audit of Monero CLSAG is Complete!](https://ostif.org/the-ostif-audit-of-monero-clsag-is-complete-results/) | | | Unbound | December 2019 | Security Review | [Our Audit of Unbound DNS by X41 D-Sec](https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/) | | | RandomX | August 2019 | Security Review | [Four Audits of RandomX for Monero and Arweave have been Completed](https://ostif.org/four-audits-of-randomx-for-monero-and-arweave-have-been-completed-results/) | | | OpenSSL | January 2019 | Security Review | [The OSTIF and Quarkslab Audit of OpenSSL is Complete](https://ostif.org/the-ostif-and-quarkslab-audit-of-openssl-is-complete/) | | | Monero Bulletproofs | October 2018 | Security Review | [The QuarksLab and Kudelski Security audits of Monero Bulletproofs are Complete](https://ostif.org/the-quarkslab-and-kudelski-security-audits-of-monero-bulletproofs-are-complete/) | | | Monero Bulletproofs | July 2018 | Security Review | [The QuarksLab and Kudelski Security audits of Monero Bulletproofs are Complete](https://ostif.org/the-quarkslab-and-kudelski-security-audits-of-monero-bulletproofs-are-complete/) | | | OpenSSL PRNG | September 2018 | Security Review | [Our Review of the OpenSSL 1.1.1 Random Number Generation Update](https://ostif.org/the-ostif-and-quarkslab-audit-of-openssl-is-complete/) | | | OpenVPN | May 2017 | Security Review | [The OpenVPN 2.4.0 Audit by OSTIF and QuarksLab Results](https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/) | | | Veracrypt | October 2016 | Security Review | [The VeraCrypt Audit Results](https://ostif.org/the-veracrypt-audit-results/) | |