Couple of months ago, after exchanging some ideas we Sandro Gauci from Enable Security, we saw as plausible the project of performing a professional Security Audit (PenTests) for OpenSIPS 3.2, with public results and benefits for the whole project and community.
So, we embarked in the quest of making that possible, to put together the a list of goals, and of course, to evaluate the costs. And we ended up with a feasible plan.
The biggest challenge of that plan was to figure out how to cover the costs of this professional audit service. And this is tricky as the “customer” for this service is an Open Source Project. As you already know, the solution was to run a public fund raising campaign, something that somehow is closing the “circle”. The whole community is funding a work for the benefit of the entire community. We, the team representing the project, are just good at doing proxy’s, as usual 🙂 :).
With a final big push from the OpenSIPS Summit (in terms of advertising), on 13th of September (lucky day), the whole amount was raised, maybe even a bit more. But no worries, nothing will be spared, as we also need to cover several (invisible for the public) fees (paypal, gofundme, wire transfers) in order to channel the money from the community to Enable Security.
But the target has been reached, with many many thanks to the whole community!!
Now is our time to deliver – the gears are already in motion, the audit has already started, Sandro Gauci and Alfred Farrugia are doing a fantastic job in terms of torturing OpenSIPS and reporting “things”.
Even if from the outside there is a complete silence, trust us, a lot of work, on both sides, Enable Security and OpenSIPS team, is undergoing. The final results of the audit will be made public at the end. Nevertheless, as we address a sensitive part here, the security, the potentially critical issue that may be found will be made public AFTER the fix is available – we do not want to expose any vulnerabilities until everybody can protect against them (and stay safe).
So, stay tuned, the work is in progress, full engines ahead. And we will follow up with the results. To be honest, that will be the really exciting part of this whole process :).