Through support from the Open Tech Fund's (OTF) Red Team Lab, OpenArchive successfully completed a third-party security audit conducted by Trail of Bits.
At OpenArchive, we strive to make our Save app as safe as possible. Through support from the Open Tech Fund's (OTF) Red Team Lab, we successfully completed a third-party security audit conducted by Trail of Bits. Please find the OTF report here. We are pleased with the results and hope our stakeholders can take comfort in knowing our tool is secure.
Outcomes: Our tech team was able to resolve all high-severity security vulnerabilities identified in the audit. However, due to architectural constraints and third-party dependencies, we were only able to partially resolve some issues. Below, we map our plan to address outstanding issues.
Trail of Bits finished their initial audit of the iOS version of the Save app in Winter of 2023 and then reviewed the fixes and mitigations implemented by the OpenArchive team to resolve the issues identified in their initial audit report.
Trail of Bits finished their initial audit of the Android version of the Save app this Spring 2023 and then reviewed the fixes and mitigations implemented by the OpenArchive team to resolve the issues identified in their initial audit report. We have addressed and solved most of the issues identified by Trail of Bits.
There are some issues that are either partially resolved or not resolved yet. These issues either do not represent a threat to Save users, are not directly exploitable, or are dependent on third-party libraries that we use.
OpenArchive’s team addressed and solved most of the issues identified by Trail of Bits. There are some issues that are either partially resolved or not resolved yet. These issues either do not represent a threat to Save users, are not directly exploitable, or are dependent on third-party libraries that we use.
Further information
If you are interested in the individual issues addressed in the report and how we solved them you can read OTF's Report here.
The Trail of Bits audits are on GitHub for Android and for iOS.
We have also published our own detailed summary of partially or unresolved issues and how we addressed or will address them.