FreeBSD The Power to Serve

Security Audits

Contact: Ed Maste <emaste@FreeBSD.org>
Contact: Alice Sowerby<alice@freebsdfoundation.org>

The project began in Q2 of 2024 and was funded by Alpha Omega with a budget of $137,500, which was used over about six months and is now complete. The focus was on conducting a code audit for key subsystems, bhyve and Capsicum, as well as performing a security audit of the development process. The funds were used to hire a specialist offensive security firm to perform the code audit, to contract developers to address issues found, and for Foundation staff’s work on both audits.

Q4 update
The project is complete.

The Code Audit and subsequent reports were released after the related Security Advisories were published.

The Process Audit is complete. It was created by FreeBSD Foundation staff who ran an outreach exercise to gather information about the current FreeBSD development process. The teams consulted were: Security Team, Source Management Team, Cluster Administrators, Release Engineering Team.

Information was gathered through an online long-form survey which was structured around existing frameworks for analysing security in software development. Teams were asked to describe current development processes and appraise the current security practices, as well as to make suggestions for improvements.

The responses were collated and synthesised into the report by Foundation staff. The report was reviewed for accuracy by the original respondents.

The report will now be made available to the Security Team and other teams previously mentioned, as well as to the Foundation executive team. This will be a useful tool in identifying areas for investment and prioritisation going forward as more security projects are planned and funded.

The report is intended primarily for FreeBSD Project and Foundation planning purposes and as such there is no plan to promote it to an external audience. Interested readers should contact the Security Team to request a copy of the report.

To learn about the project, and to see historical monthly updates visit: https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/FreeBSD.

Sponsor: Alpha Omega Project

Last modified on: January 18, 2025 by Joseph Mingrone