Technical Initiative
gittuf project
Lifecycle Phase
incubating
Funding amount
unknown. please advise us
Problem Statement
We'd like a security audit
Who does this affect?
We'd like a more rigorous examination of our code before removing the beta tag
Have there been previous attempts to resolve the problem?
We had someone with Glasswing access check our codebase.
Why should it be tackled now and by this TI?
Yes! We view this as a blocker for removing the beta tag.
Give an idea of what is required to make the funding initiative happen
We'd like some firm to do a security audit of gittuf's codebase.
What is going to be needed to deliver this funding initiative?
An outside security audit.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
No.
Give a summary of the requirements that contextualize the costs of the funding initiative
An audit of our code at: https://github.com/gittuf/gittuf We would also appreciate any feedback on our threat model and similar functionality.
Who is responsible for doing the work of this funding initiative?
Patrick Zielinski (from our side) would be the gittuf POC
Who is accountable for doing the work of this funding initiative?
A firm you select
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Select another firm
What license is this funding initiative being used under?
n/a
Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
June 2026, identify a firm
July 2026, initial discussion / threat modeling / expectations
August 2026, findings report
(deadline is subject to discussion with the audit firm)
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
Provide a security audit for the gittuf project. Examine the code for defects and design flaws. Also find any weaknesses or shortcomings in the project's threat model given the current threat landscape. After discussion with the project maintainers, produce a written report of findings for public release.
Technical Initiative
gittuf project
Lifecycle Phase
incubating
Funding amount
unknown. please advise us
Problem Statement
We'd like a security audit
Who does this affect?
We'd like a more rigorous examination of our code before removing the beta tag
Have there been previous attempts to resolve the problem?
We had someone with Glasswing access check our codebase.
Why should it be tackled now and by this TI?
Yes! We view this as a blocker for removing the beta tag.
Give an idea of what is required to make the funding initiative happen
We'd like some firm to do a security audit of gittuf's codebase.
What is going to be needed to deliver this funding initiative?
An outside security audit.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
No.
Give a summary of the requirements that contextualize the costs of the funding initiative
An audit of our code at: https://github.com/gittuf/gittuf We would also appreciate any feedback on our threat model and similar functionality.
Who is responsible for doing the work of this funding initiative?
Patrick Zielinski (from our side) would be the gittuf POC
Who is accountable for doing the work of this funding initiative?
A firm you select
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Select another firm
What license is this funding initiative being used under?
n/a
Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
June 2026, identify a firm
July 2026, initial discussion / threat modeling / expectations
August 2026, findings report
(deadline is subject to discussion with the audit firm)
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
Provide a security audit for the gittuf project. Examine the code for defects and design flaws. Also find any weaknesses or shortcomings in the project's threat model given the current threat landscape. After discussion with the project maintainers, produce a written report of findings for public release.