{"id":18508488,"url":"https://github.com/ossf/security-reviews","last_synced_at":"2026-02-27T08:34:26.630Z","repository":{"id":40294922,"uuid":"331403206","full_name":"ossf/security-reviews","owner":"ossf","description":"A community collection of security reviews of open source software components.","archived":false,"fork":false,"pushed_at":"2024-02-29T14:23:47.000Z","size":1421,"stargazers_count":93,"open_issues_count":13,"forks_count":26,"subscribers_count":15,"default_branch":"main","last_synced_at":"2025-04-09T20:51:42.315Z","etag":null,"topics":["security-audit","security-reviews"],"latest_commit_sha":null,"homepage":"https://openssf.org","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSES/Apache-2.0.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-20T19:00:22.000Z","updated_at":"2025-01-21T06:43:35.000Z","dependencies_parsed_at":"2023-02-08T04:17:09.179Z","dependency_job_id":"bf65b20a-3b41-44b5-a91c-28ccb0b420cf","html_url":"https://github.com/ossf/security-reviews","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":"ossf/project-template","purl":"pkg:github/ossf/security-reviews","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fsecurity-reviews","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fsecurity-reviews/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fsecurity-reviews/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fsecurity-reviews/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/security-reviews/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fsecurity-reviews/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29888181,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T08:34:21.514Z","status":"ssl_error","status_checked_at":"2026-02-27T08:32:38.035Z","response_time":57,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security-audit","security-reviews"],"created_at":"2024-11-06T15:14:33.123Z","updated_at":"2026-02-27T08:34:26.604Z","avatar_url":"https://github.com/ossf.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Security Reviews\n\nThis repository contains a collection of security reviews of open source software. It is a public resource that anyone can contribute to, and is consumable by anyone under a permissive license.\n\n**[View the Security Reviews](Overview.md)**\n\n## How do I submit a review?\n\n***Note: Do not disclose \"new\" or \"unknown\" vulnerabilities in other projects to this project or to this repository.***\n\n1. Choose an open source component.\n2. Complete the form on the [QuickStart](https://ossf.github.io/security-reviews/quickstart.html) page (this will generate your review as a markdown file).\n2. Clone this repository and add your security review to the relevant path in the [reviews](https://github.com/ossf/security-reviews/tree/main/reviews) directory (see [Naming Reviews](#naming-reviews)).\n3. Submit a pull request!\n\n## Naming Reviews\n\nThe name of a security review should be readable, using hyphen-separated lowercase\nletters, and should be placed in the most relevant path in the [reviews](https://github.com/ossf/security-reviews/tree/main/reviews) directory. For example, a security review of Django could be placed in the `pypi/django` path, and a review of Zlib could be placed in the `github/madler/zlib` path. It is likely the relevant path for your security review has not yet been created, as this repository is still a work in progress. If that is the case, please create the relevant path for your review.\n\nIf a review reflects multiple projects across different package managers (e.g.\nDjango exists on both GitHub and PyPI), please file the project in location\nusers are most likely to look for it (in this case, PyPI). If you get stuck,\nfeel free to ask in an Issue or Pull Request.\n\n## Removing Reviews\n\nIf you believe that a security review is inappropriate, either because\nit is giving objectively poor advice, contains an undisclosed security\nvulnerability, or similar, please open an Issue or [contact us](#) (link TBD).\n\nWe reserve the right to remove, or not remove, any content submitted\nto this repository.\n\n## Tips\n\n * Read the [Review Template](template.md) for information on which sections can (and must) be included and suggestions for the level of detail expected.\n * Watch the [Video Introduction](#) (may not be uploaded yet) for more information and to learn more about what is expected in a security review.\n * Please see the [Wiki](https://github.com/ossf/security-reviews/wiki) for information on topics such as the [Disclosure Policy](https://github.com/ossf/security-reviews/wiki/Disclosure-Policy) and the [PR Review Process](https://github.com/ossf/security-reviews/wiki/PR-Review-Process).\n\n## Disclosure Policy\n\nThis platform is **not** intended to be a vulnerability reporting process, but rather a forum for sharing general security reviews of open source components. If you\ndiscover a vulnerability in an open source software component, we\nstrongly encourage you to disclose it privately to the author so as\nto protect the community.\n\nThis platform is also **not** intended to be a vulnerability disclosure mechanism\n(i.e. it isn't an alternative to a CVE). If you are the author of a\ncomponent, we encourage you to publicly disclose the vulnerability,\neither through the\n[GitHub Security Advisory](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-github-security-advisories)\nprocess, requesting a formal CVE yourself, or another appropriate\nmechanism.\n\n***For reviews that describe or reference vulnerabilities:***\n\n * Vulnerabilities must already be disclosed publicly (preferably via a CVE) AND either (a) it must be fixed OR (b) at least 90 days must have passed since it was publicly disclosed.\nFor reviews that don't describe or reference vulnerabilities, all content should be acceptable.\n\nFor a more detailed Disclosure Policy that includes examples of acceptable and non-acceptable security reviews, please see the [Disclosure Policy](https://github.com/ossf/security-reviews/wiki/Disclosure-Policy) page of the [Wiki](https://github.com/ossf/security-reviews/wiki). If you are ever unsure, we encourage you to seek guidance by opening an issue (please do not provide specifics), and a maintainer will advise on the most appropriate course.\n\n## Quality Bar\n\nWhen evaluating whether a submitted review meets the quality bar, maintainers will consider the following:\n\n * **Evidence-based:** While opinions are allowed, all opinions must be clearly supported by specific evidence. That evidence could be analysis of source code (showing code snippets is recommended), fuzzing results, and so on. The opinions can be positive or negative, but they must be evidence based.\n\n * **Credibility:** Does the content appear to be credible? For example, if a review just contained the text, \"Project X has lots of vulnerabilities. Don't use it\", the maintainer should request clarification and expansion of the content until it provides the reader with sufficient information to understand the risk. Such an explanation need not be exhaustive. For \"positive\" reviews\n\n * **Reasonable:** Does the content sound reasonable? For example, if there are obvious incorrect assertions or poor advice (\"Enable 'strict mode' to prevent SQL Injection attacks\", \"Switch from HTTPS to HTTP to improve performance\"), then the maintainer should request changes, and the conversation should continue within the pull request until it is resolved.\n\n * **Not a 0-Day:** Does the submission appear to comply with the [Disclosure Policy](https://github.com/ossf/security-reviews/wiki/Disclosure-Policy)? This essentially means, \"does the submission contain a newly-disclosed vulnerability? If the submission appears to violate this policy, it will be closed. The submitter may open an Issue to discuss the matter. If the submission is particularly sensitive, a maintainer may request GitHub perform a \"hard delete\" of the PR, but we make no guarantee that the content will not be available. **Please, reflect on the nature of the content you intend to submit, and ask us if you have any doubts.**\n\nIt would be infeasible for the reviewer of a pull request to \"re-evaluate\" the package from the submitted review to \"double-check\" the work product. As such, submissions by new contributors may be subject to additional scrutiny.\n\nThe quality bar is also included in the  in the [PR Review Process](https://github.com/ossf/security-reviews/wiki/PR-Review-Process) of the [Wiki](https://github.com/ossf/security-reviews/wiki). Please note that this quality bar is subject to change over time.\n\nFor more information, view this [wiki](https://github.com/ossf/security-reviews/wiki/Vulnerability-Disclosure) page.\n\n## Motivation\n\nThere are two main motivations that led to this project.\n\nFirst, we weren't aware of any public resources that gave **positive indicators**\nabout the security quality of open source components. If three\norganizations were all using the same component, they would consider\nreviewing the component in some way, wasting effort that could\nbe better directed at other components.\n\nSecond, the safety of a component is more than a simple \"lack of\nvulnerabilities\". Consider the case of a GUID generator that uses a\nstrong cryptographic function and the current time as part of its\nalgorithm. It's debatable whether this type of design should\nbe considered a vulnerability (as randomness isn't essential when\ngenerating GUIDs), but in many cases, developers implicitly\nassume that an attacker cannot guess what GUID will be generated.\nIn this regard, a security review could state that the\nGUID generator is specifically not resistent to prediction, which\ncould be of help to a developer trying to identify the best tool\nfor the job.\n\n## Objective\n\nThe primary objective of this project is to collect and curate\nsecurity reviews performed against open source software components,\nand to make these freely available to stakeholders.\n\n## Scope\n\nThe scope of this project includes any software that is distributed\nunder an [open source](https://opensource.org/licenses) license.\n\n## Prior Work\n\nThere are many tangentially-related projects (the NIST CVE database,\nGitHub Security Advisories, commercial vulnerability databases), and\nmany security researchers make available their own security assessments,\nbut to the best of our knowledge, this project is somewhat unique\nin its purpose and approach.\n\n## Licenses\n\nAll reviews here are under a permissive license.\nUnless stated otherwise, documentation is released under the\n[Creative Commons Attribution 4.0 (CC-BY-4.0) license](https://creativecommons.org/licenses/by/4.0/legalcode.txt),\nwhile code is released under the Apache license 2.0 (Apache-2.0).\nThe documentation may link to other materials; those other materials retain\ntheir licenses.\n\n## Security / vulnerability reporting\n\nFor information on how to\nreport vulnerabilities in the software in this repository\n(e.g., our scripts), see\n[SECURITY.md](./SECURITY.md).\n\n## More Information\n\nFor more information on this project and the Open Source Security\nFoundation, please visit https://openssf.org.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fsecurity-reviews","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Fsecurity-reviews","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fsecurity-reviews/lists"}