Skip to main content

Audit Program

The Core Infrastructure Initiative and the Linux Foundation as a whole believe security is an integral part of modern software development. To ensure security is appropriately considered and addressed, both CII and other projects within the LF have sponsored security audits to investigate and improve both internal and external projects. Recent audits include:

Chrony

Chrony is a versatile implementation of the Network Time Protocol (NTP). It can synchronize the system clock with NTP servers, reference clocks (e.g. GPS receiver), and manual input using wristwatch and keyboard. It can also operate as an NTPv4 (RFC 5905) server and peer to provide a time service to other computers in the network.

Audit Date: August 2018
Target and Scope: Chrony 3.2
Cost of Audit: $15,000
Auditing Firm: Cure53
Audit Results: Two miscellaneous issues.
» View Audit Report

 

Hyperledger Composer

Hyperledger Composer is an application development framework which simplifies and expedites the creation of Hyperledger fabric blockchain applications.

Audit Date: May 2018
Target and Scope: Hyperledger Composer code base.
Cost of Audit: $34,505
Auditing Firm: Nettitude
Audit Results: Two medium and two low vulnerabilities.
» View Audit Report

 

containerd

containerd is available as a daemon for Linux and Windows. It manages the complete container lifecycle of its host system, from image transfer and storage to container execution and supervision to low-level storage to network attachments and beyond.

Audit Date: November 2018
Target and Scope:
Cost of Audit:
$25,000
Auditing Firm: Cure53
Audit Results: One miscellaneous issue.
» View Audit Report

 

CoreDNS

CoreDNS is a DNS server. It is written in Go. CoreDNS is different from other DNS servers, because it is very flexible; it chains plugins. Each plugin performs a DNS function, such as Kubernetes service discovery, Prometheus metrics or rewriting queries.

Audit Date: March 2018
Target and Scope: CoreDNS codebase
Cost of Audit: $25,000
Auditing Firm: Cure53
Audit Results: One critical vulnerability (fixed) and three miscellaneous issues.
» View Audit Report

 

Envoy

Envoy is a high performance C++ distributed proxy designed for single services and applications, as well as a communication bus and “universal data plane” designed for large microservice “service mesh” architectures.

Audit Date: February 2018
Target and Scope: Envoy codebase
Cost of Audit: $25,000
Auditing Firm: Cure53
Audit Results: Four vulnerabilities and four miscellaneous issues.
» View Audit Report

 

Hyperledger Fabric

Hyperledger Fabric is a platform for distributed ledger solutions, underpinned by a modular architecture delivering high degrees of confidentiality, resiliency, flexibility and scalability.

Audit Date:
Target and Scope:
Hyperledger Fabric codebase
Cost of Audit: $47,250
Auditing Firm: Nettitude
Audit Results: Two medium and three low vulnerabilities.
» View Audit Report

 

Hyperledger Indy

Hyperledger Indy provides a distributed-ledger-based foundation for self-sovereign identity.

Audit Date: November 2018
Target and Scope: Hyperledger Indy codebase
Cost of Audit: $38,000
Auditing Firm: Nettitude
Audit Results: Two medium and six low vulnerabilities.
» View Audit Report

 

Hyperledger Iroha

Iroha is a straightforward distributed ledger technology (DLT), inspired by Japanese Kaizen principle — eliminate excessiveness (muri).

Audit Date: March 2018
Target and Scope: Hyperledger Iroha codebase
Cost of Audit: $37,125
Auditing Firm: Nettitude
Audit Results: One critical, one medium, and two low vulnerabilities.
» View Audit Report

 

Kubernetes

Kubernetes is an open source system for managing containerized applications across multiple hosts. It provides basic mechanisms for deployment, maintenance, and scaling of applications.

Audit Date: May 2019
Target and Scope: Kubernetes codebase
Cost of Audit: $250,000
Auditing Firm: Trail of Bits
Audit Results: Five high, seventeen medium, eight low, and seven miscellaneous issues.
» View Audit Report

 

NATS

NATS server is a simple, high performance open source messaging system for cloud native applications, IoT messaging, and microservices architectures.

Audit Date: November 2018
Target and Scope: NATS codebase
Cost of Audit:
Auditing Firm: Cure53
Audit Results: One critical, one medium, and two low vulnerabilities, as well as four miscellaneous issues.
» View Audit Report

 

ntpd

NTP is a protocol designed to synchronize the clocks of computers over a network. NTP version 4, a significant revision of the previous NTP standard, is the current development version. It is formalized by RFCs released by the IETF.

Audit Date: January 2017
Target and Scope: NTP 4.2.8.p9
Auditing Firm: Cure53
Audit Results: One critical and two high vulnerabilities, and eleven miscellaneous issues.
» View Audit Report

 

NTPSec

NTPsec…is a more secure NTP. NTPSec’s goal is to deliver code that can be used with confidence in deployments with the most stringent security, availability, and assurance requirements.

Audit Date: January 2017
Target and Scope: NTPsec 0.9.6
Auditing Firm: Cure53
Audit Results: Three high vulnerabilities, and five miscellaneous issues.
» View Audit Report

 

Open Policy Agent

The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.

Audit Date: August 2018
Target and Scope: Open Policy Agent (OPA) framework
Cost of Audit: $25,000
Auditing Firm: Cure53
Audit Results: Two vulnerabilities and four miscellaneous issues.
» View Audit Report

 

OpenSSL

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

Audit Date: 2015-2016
Target and Scope: OpenSSL
Cost of Audit: $150,000
Auditing Firm: iSEC International in partnership with OCAP
Audit Results: Vulnerabilities were addressed in multiple patches released

 

OpenVPN

Secure Data Communications

Audit Date: May 2019 – July 2019
Target and Scope: New TLS code implementations in version 2.4.2
Cost of Audit: $125,000
Auditing Firm: X41 D-SEC
Audit Results: 12 recommendations made to newly minted security implementation code.
» View Audit Report

 

Prometheus

An open-source monitoring system with a dimensional data model, flexible query language, efficient time series database and modern alerting approach.

Audit Date: May 2018
Auditing Firm: Cure53
Audit Results: One high and two medium vulnerabilities, and two miscellaneous issues.
» View Audit Report

 

Hyperledger Sawtooth

An open source enterprise blockchain platform for building distributed ledger applications and networks.

Audit Date: December 2017
Target and Scope: Hyperledger Sawtooth codebase
Cost of Audit: $37,125
Auditing Firm: Nettitude
Audit Results: One high, five medium, and two low vulnerabilities.
» View Audit Report

   

TUF/Notary

The Notary project comprises a server and a client for running and interacting with trusted collections.

Audit Date: May 2018 – June 2018
Target and Scope: TUF/Notary software compound
Cost of Audit: $25,000
Auditing Firm: Cure53
Audit Results: Two vulnerabilities and two miscellaneous issues.
» View Audit Report

 

Unbound DNS

Secure Domain Name System Resolver

Audit Date: February 2019 – April 2019
Target and Scope: Full source-code review and security audit.
Cost of Audit: $150,000 funded by Core Infrastructure Initiative
Auditing Firm: QuarksLab LLC
Audit Results: Ten vulnerabilities found and patched. One critical CVE, Two medium CVE’s, Seven low/informational recommendations.
» View Audit Report