Chrony
Chrony is a versatile implementation of the Network Time Protocol (NTP). It can synchronize the system clock with NTP servers, reference clocks (e.g. GPS receiver), and manual input using wristwatch and keyboard. It can also operate as an NTPv4 (RFC 5905) server and peer to provide a time service to other computers in the network.
Audit Date: August 2018
Target and Scope: Chrony 3.2
Cost of Audit: $15,000
Auditing Firm: Cure53
Audit Results: Two miscellaneous issues.
» View Audit Report
Hyperledger Composer
Hyperledger Composer is an application development framework which simplifies and expedites the creation of Hyperledger fabric blockchain applications.
Audit Date: May 2018
Target and Scope: Hyperledger Composer code base.
Cost of Audit: $34,505
Auditing Firm: Nettitude
Audit Results: Two medium and two low vulnerabilities.
» View Audit Report
containerd
containerd is available as a daemon for Linux and Windows. It manages the complete container lifecycle of its host system, from image transfer and storage to container execution and supervision to low-level storage to network attachments and beyond.
Audit Date: November 2018
Target and Scope:
Cost of Audit: $25,000
Auditing Firm: Cure53
Audit Results: One miscellaneous issue.
» View Audit Report
CoreDNS
CoreDNS is a DNS server. It is written in Go. CoreDNS is different from other DNS servers, because it is very flexible; it chains plugins. Each plugin performs a DNS function, such as Kubernetes service discovery, Prometheus metrics or rewriting queries.
Audit Date: March 2018
Target and Scope: CoreDNS codebase
Cost of Audit: $25,000
Auditing Firm: Cure53
Audit Results: One critical vulnerability (fixed) and three miscellaneous issues.
» View Audit Report
Envoy
Envoy is a high performance C++ distributed proxy designed for single services and applications, as well as a communication bus and “universal data plane” designed for large microservice “service mesh” architectures.
Audit Date: February 2018
Target and Scope: Envoy codebase
Cost of Audit: $25,000
Auditing Firm: Cure53
Audit Results: Four vulnerabilities and four miscellaneous issues.
» View Audit Report
Hyperledger Fabric
Hyperledger Fabric is a platform for distributed ledger solutions, underpinned by a modular architecture delivering high degrees of confidentiality, resiliency, flexibility and scalability.
Audit Date:
Target and Scope: Hyperledger Fabric codebase
Cost of Audit: $47,250
Auditing Firm: Nettitude
Audit Results: Two medium and three low vulnerabilities.
» View Audit Report
Hyperledger Indy
Hyperledger Indy provides a distributed-ledger-based foundation for self-sovereign identity.
Audit Date: November 2018
Target and Scope: Hyperledger Indy codebase
Cost of Audit: $38,000
Auditing Firm: Nettitude
Audit Results: Two medium and six low vulnerabilities.
» View Audit Report
Hyperledger Iroha
Iroha is a straightforward distributed ledger technology (DLT), inspired by Japanese Kaizen principle — eliminate excessiveness (muri).
Audit Date: March 2018
Target and Scope: Hyperledger Iroha codebase
Cost of Audit: $37,125
Auditing Firm: Nettitude
Audit Results: One critical, one medium, and two low vulnerabilities.
» View Audit Report
Kubernetes
Kubernetes is an open source system for managing containerized applications across multiple hosts. It provides basic mechanisms for deployment, maintenance, and scaling of applications.
Audit Date: May 2019
Target and Scope: Kubernetes codebase
Cost of Audit: $250,000
Auditing Firm: Trail of Bits
Audit Results: Five high, seventeen medium, eight low, and seven miscellaneous issues.
» View Audit Report
NATS
NATS server is a simple, high performance open source messaging system for cloud native applications, IoT messaging, and microservices architectures.
Audit Date: November 2018
Target and Scope: NATS codebase
Cost of Audit:
Auditing Firm: Cure53
Audit Results: One critical, one medium, and two low vulnerabilities, as well as four miscellaneous issues.
» View Audit Report
ntpd
NTP is a protocol designed to synchronize the clocks of computers over a network. NTP version 4, a significant revision of the previous NTP standard, is the current development version. It is formalized by RFCs released by the IETF.
Audit Date: January 2017
Target and Scope: NTP 4.2.8.p9
Auditing Firm: Cure53
Audit Results: One critical and two high vulnerabilities, and eleven miscellaneous issues.
» View Audit Report
NTPSec
NTPsec…is a more secure NTP. NTPSec’s goal is to deliver code that can be used with confidence in deployments with the most stringent security, availability, and assurance requirements.
Audit Date: January 2017
Target and Scope: NTPsec 0.9.6
Auditing Firm: Cure53
Audit Results: Three high vulnerabilities, and five miscellaneous issues.
» View Audit Report
Open Policy Agent
The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
Audit Date: August 2018
Target and Scope: Open Policy Agent (OPA) framework
Cost of Audit: $25,000
Auditing Firm: Cure53
Audit Results: Two vulnerabilities and four miscellaneous issues.
» View Audit Report
OpenSSL
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
Audit Date: 2015-2016
Target and Scope: OpenSSL
Cost of Audit: $150,000
Auditing Firm: iSEC International in partnership with OCAP
Audit Results: Vulnerabilities were addressed in multiple patches released
OpenVPN
Secure Data Communications
Audit Date: May 2019 – July 2019
Target and Scope: New TLS code implementations in version 2.4.2
Cost of Audit: $125,000
Auditing Firm: X41 D-SEC
Audit Results: 12 recommendations made to newly minted security implementation code.
» View Audit Report
Prometheus
An open-source monitoring system with a dimensional data model, flexible query language, efficient time series database and modern alerting approach.
Audit Date: May 2018
Auditing Firm: Cure53
Audit Results: One high and two medium vulnerabilities, and two miscellaneous issues.
» View Audit Report
Hyperledger Sawtooth
An open source enterprise blockchain platform for building distributed ledger applications and networks.
Audit Date: December 2017
Target and Scope: Hyperledger Sawtooth codebase
Cost of Audit: $37,125
Auditing Firm: Nettitude
Audit Results: One high, five medium, and two low vulnerabilities.
» View Audit Report
TUF/Notary
The Notary project comprises a server and a client for running and interacting with trusted collections.
Audit Date: May 2018 – June 2018
Target and Scope: TUF/Notary software compound
Cost of Audit: $25,000
Auditing Firm: Cure53
Audit Results: Two vulnerabilities and two miscellaneous issues.
» View Audit Report
Unbound DNS
Secure Domain Name System Resolver
Audit Date: February 2019 – April 2019
Target and Scope: Full source-code review and security audit.
Cost of Audit: $150,000 funded by Core Infrastructure Initiative
Auditing Firm: QuarksLab LLC
Audit Results: Ten vulnerabilities found and patched. One critical CVE, Two medium CVE’s, Seven low/informational recommendations.
» View Audit Report