This blog was originally published on the OSTIF website on October 9, 2025 by Helen Wooste
The Open Source Technology Improvement Fund is proud to share the results of our security audit of OpenSSF Scorecard. OpenSSF Scorecard is an open source automated testing resource to help projects continually assess security risks. With the help of ADA Logics and the OpenSSF, this project can continue to provide the open source community with a free and proactive security best practice that is easy for maintainers to use.
Audit Process:
This engagement was undertaken by the ADA Logics team during early summer of 2025. Within scope of review was five repositories: scorecard-webapp, scorecard-action, scorecard-monitor, scorecard, and allstar. These five projects underwent formal threat modeling, which then guided the manual code review that followed. Each repository interacts with different interfaces, handles different (potentially sensitive) data, and therefore has differing attack impacts that affect its security needs. Fuzzing work was also performed during this audit, and resulted in the uncovering of some of the reported findings.
Audit Results:
- 9 Issues with security impact
-
- 2 Medium
- 5 Low
- 2 Informational
- Formal threat models of following repositories
- scorecard-webapp
- scorecard-action
- scorecard-monitor
- scorecard
- allstar
- Continuous fuzzing of the majority of Scorecard probes via integration onto OSS-Fuzz
The OpenSSF Scorecard maintainers were active and helpful participants in the duration of the audit. Many issues reported by this audit have been addressed, so if you are a user of OpenSSF Scorecard please update to the most recent version in order to take advantage of the work by both ADA Logics and the maintainers. Additionally if you would like to contribute to Scorecard, click this link to see the available meetings for further discussion.
Thank you to the individuals and groups that made this engagement possible:
- OpenSSF Scorecard maintainers and community, especially: Spencer Schrock, Raghav Kaul, Stephen Augustus, and Jeff Mendoza
- ADA Logics: David Korczynski and Adam Korczynski
- The OpenSSF
You can read the Audit Report HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to contactus@ostif.org.
OSTIF is celebrating our 10 year anniversary! Join us for a meetup about our work, lessons learned, and where we see the future of open source security going by following our meetup calendar https://lu.ma/ostif-meetups
To get involved, visit openssf.org and join the conversation on Slack, GitHub, and upcoming community events.
Helen is a Hoosier who spent her youth in West Lafayette and then Bloomington, Indiana, spending time in the latter earning her undergraduate degree in History from Indiana University. A month after graduation she moved to Chicago where she worked in hospitality and food service management, running a variety of enterprises from bakeries to high-end restaurants to a pasta food truck. In 2023, she transitioned into open source by accepting a position with OSTIF. She is grateful for the opportunity to work with a global community that prioritizes sharing free knowledge for the greater good.