OSTIF security assistance beginning soon
Posted: 18 Feb 2025 17:32
Hello everyone,
I'm Derek from OSTIF and we are an org that helps open source projects with their security, for free. We have a long track record and a lot of experience under our belts working on everything from huge projects like Git to smaller projects like VeraCrypt. We publish all of our work on our website so feel free to Google us and look at our catalog. (I won't post URLs for fear of the mighty spambot hammer.)
I've used VLC for my entire adult life. It was my first (or maybe second if we are counting winzip) open source project that I ever encountered and it opened up my idea to the idea of free and open source software. It's always had a special place in my heart and i've always wanted to contribute back.
I feel privileged to be in that position now.
OSTIF has secured the resources to work on helping VLC improve its security posture. We've had some trouble reaching out through the VideoLAN org and Github so I thought I'd try here.
We have a plan with what we'd like to help with based on our expertise and what we think that VLC could benefit from the most. The highlights are:
1. Taking a look at how VLC is built and distributed and looking for improvements to help VLC resist tampering with builds when they are built/shipped.
2. Taking a look at how we can improve testing in VLC to help with memory safety in meaningful ways (building out more fuzz testing).
I want to make sure that we have the support of the community for these ideas and that we can work together to make even safer for all of us. We are more than happy to take feedback and input as to what we can do to help VLC shine for many years more.
I will check this post frequently as the work begins soon. I can also be reached via my org email which includes all of the letters of my first name + shift 2 + our domain. (I hate AI spam)
I hope this is really helpful for VideoLAN and VLC!
I'm Derek from OSTIF and we are an org that helps open source projects with their security, for free. We have a long track record and a lot of experience under our belts working on everything from huge projects like Git to smaller projects like VeraCrypt. We publish all of our work on our website so feel free to Google us and look at our catalog. (I won't post URLs for fear of the mighty spambot hammer.)
I've used VLC for my entire adult life. It was my first (or maybe second if we are counting winzip) open source project that I ever encountered and it opened up my idea to the idea of free and open source software. It's always had a special place in my heart and i've always wanted to contribute back.
I feel privileged to be in that position now.
OSTIF has secured the resources to work on helping VLC improve its security posture. We've had some trouble reaching out through the VideoLAN org and Github so I thought I'd try here.
We have a plan with what we'd like to help with based on our expertise and what we think that VLC could benefit from the most. The highlights are:
1. Taking a look at how VLC is built and distributed and looking for improvements to help VLC resist tampering with builds when they are built/shipped.
2. Taking a look at how we can improve testing in VLC to help with memory safety in meaningful ways (building out more fuzz testing).
I want to make sure that we have the support of the community for these ideas and that we can work together to make even safer for all of us. We are more than happy to take feedback and input as to what we can do to help VLC shine for many years more.
I will check this post frequently as the work begins soon. I can also be reached via my org email which includes all of the letters of my first name + shift 2 + our domain. (I hate AI spam)
I hope this is really helpful for VideoLAN and VLC!