Great Artifact Repository Audit Coordination Funding Proposal

## Qualifying information **Technical Initiative** Securing Software Repositories Working Group **Lifecycle Phase** Graduated **Funding amount** $150,000 ## Problem Statement Most Central Artifact Repositories — critical infrastructure for the OSS ecosystem — have never undergone dedicated, in-scope security audits tailored to their role in dependency resolution. As a result, vulnerabilities in these public services may persist undetected, exposing developers and build systems to supply chain risk. ## Who does this affect? This affects nearly all open source consumers and maintainers — from individual developers to large corporations — who rely on artifact repositories like PyPI, Maven Central, npm, RubyGems, Docker, and the Gradle Plugin Portal in CI/CD workflows. A vulnerability in a single repository can have downstream consequences for thousands of projects and organizations. ## Have there been previous attempts to resolve the problem? Yes. The original [Great Artifact Repository Audit](https://docs.google.com/document/d/1EzYfM5-S5I27fC8_YE-bN-nm-J8Q1tG6aC_MKYpUvH0/edit) proposal was drafted by Jonathan Leitschuh and the OpenSSF Securing Software Repositories WG in May of 2023. Since then, several ecosystems have undergone security audits — including [PyPI](https://blog.pypi.org/posts/2023-11-14-1-pypi-completes-first-security-audit/), [RubyGems](https://blog.rubygems.org/2024/12/11/security-audit.html), [Composer](https://blog.packagist.com/composer-2-7-7/), and [Homebrew](https://brew.sh/2024/07/30/homebrew-security-audit/) — funded by OpenSSF Alpha Omega and the Open Technology Fund. These efforts demonstrate both the feasibility and value of such audits. However, they’ve largely been ad hoc: scoped independently, coordinated informally, and lacking shared follow-up processes. This initiative seeks to build on those successes by providing coordination capacity to explore how recurring audits might be supported — and to help define consistent, ecosystem-agnostic expectations around scope, remediation, and public disclosure. The goal is not to standardize implementation, but to reduce fragmentation and raise the overall security baseline across all packaging ecosystems. ## Why should it be tackled now and by this TI? The Securing Software Repositories WG is well positioned to lead this effort, having already coordinated several audits and maintained the [Repository Security Capabilities Tracker](https://github.com/ossf/wg-securing-software-repos/pull/88). Community momentum and funder interest are strong. Several organizations have already expressed interest in supporting funding artifact ecosystem audits. Without dedicated coordination, further audits may be delayed, under-scoped, or left incomplete. This funding will provide the capacity to help move Gradle toward an audit-ready state and engage other ecosystems for audits. --- ## Proposed work and other work considered ### What is required to make the funding initiative happen? - A full-time technical coordinator (Jonathan Leitschuh) with deep experience in OSS security audits, vulnerability disclosure, and cross-ecosystem engagement - Continued support from the Securing Software Repositories WG - Partnership with OpenSSF staff to scope and support audits - Budget flexibility to: - Engage security firms, legal counsel, or technical writers - Build and maintain a lightweight public-facing website - Travel to and promote this work at key security and OSS conferences ### What is going to be needed to deliver this funding initiative? - Engagement with the Gradle Plugin Portal team to identify and prioritize pre-audit work - Partner and funder coordination (e.g., OSTIF, Alpha-Omega, major ecosystem consumers) - Creation of reusable templates for audit scopes and disclosure coordination - Public tracking of work via a dedicated site and OpenSSF WG channels - Stakeholder re-engagement in at least four additional packaging ecosystem. Including, but not limited to: - Maven Central (Java, Groovy, Scala) - Nuget (.Net) - Conan (C & C++) - Docker (Containers) - Golang (Go) - Crates.io (Rust) - Packagist (PHP) - CocoaPods (Swift) ### Are there tools or tech that still need to be produced? Yes. A lightweight project website will: - Host completed and upcoming audit reports - Provide transparency into project priorities and scope - Track milestones, blog updates, and community participation --- ## Requirements and cost context The requested funds will support: - **6 months of full-time coordination** ($150,000) - **Website setup** ($5k–$10k): To promote transparency and encourage cross-ecosystem alignment - **Conference travel/outreach** ($5k–$10k): To advocate for artifact repository security at relevant events - **Discretionary support** (as needed): Legal review, copy editing, or design support for audit deliverables --- ## Responsible parties **Responsible** Jonathan Leitschuh ([GitHub @JLLeitschuh](https://github.com/JLLeitschuh)) **Accountable** Jonathan Leitschuh **Backup plan** If unavailable, the Securing Software Repositories WG will nominate a temporary coordinator and coordinate with OpenSSF staff to maintain momentum. **License** - Documentation: Creative Commons Attribution 4.0 International (CC BY 4.0) - Code/templates: Apache License 2.0 - [x] I agree to follow the OpenSSF's [Code of Conduct](https://openssf.org/community/code-of-conduct/) --- ## Milestones and approximate timeline **April–May 2025** - Kick off initiative with Securing Repos WG and OpenSSF staff (ongoing) - Re-engage Gradle Plugin Portal maintainers (ongoing) - Launch project website with scope, vision, and past audit summaries - Publish draft audit/disclosure templates - Begin outreach to four additional ecosystems for potential audits **June–July 2025** - Support Gradle’s audit-readiness work (vulnerability remediation, infra hardening) - Coordinate funder interest and ecosystem partner support - Publish update: "Laying the Groundwork for the Gradle Audit" - Begin scoping audit with a minimum of two identified ecosystems **August–September 2025** - Finalize audit scope and partner coordination (security firm, funder, Gradle) - Expand roadmap and ecosystem engagement tracking on the website - Support identified ecosystems audit-readiness work (vulnerability remediation, infra hardening) - Deliver recap report and roadmap for audit sustainability and repeatability of this work ---