BSI ~~investigates~~ reviews open source software Matrix and Mastodon
-
The German Federal Office for Information Security invests into FLOSS security. In their latest investigation, they looked into Matrix & Mastodon. Here is the report. (sorry: german only)
Translated to en via deepl.com
"Together with mgm security partners GmbH, the BSI checked the source code of the communication software Matrix and the social media micro blogging software Mastodon for possible flaws. The BSI immediately notified the affected developers of critical vulnerabilities. They analyzed the vulnerabilities and have already responded. Other flaws were addressed as part of a responsible disclosure procedure. The results now published are a combination of source code review, dynamic analysis and interface analysis in the areas of network interfaces, protocols and standards."Ask your local authorities to invest in FLOSS.
-
I‘d change „investigates“ in your header to „reviews“ or similar - when public authorities „investigate“, it’s usually because they expect wrongdoing….
-
Interesting, but I am unclear whether BSI are pro-FLOSS / Matrix/Mastodon.
It may be a translation issue, but the report is underwhelming in its excitement and positivity. -
They are license-agnostic, I'd say. They focus on security.
The press release in full:
As part of the project on “Code Analysis of Open Source Software” (CAOS 2.0), the German Federal Office for Information Security (BSI) has examined the security features of the Matrix communication software and the Mastodon social media micro-blogging software.
In most cases, cyber attacks can be traced back to errors in the program code of the affected applications. The CAOS project helps to identify and eliminate common vulnerabilities and risks. The BSI worked with mgm security partners GmbH to check the source code of the Matrix communication software and the Mastodon social media micro blogging software for possible defects. The BSI immediately notified the affected developers of critical vulnerabilities. They analyzed the vulnerabilities and have already responded. Further deficiencies were addressed as part of a responsible disclosure procedure. The results that have now been published are a combination of source code review, dynamic analysis, and interface analysis in the areas of network interfaces, protocols, and standards.
In cooperation with mgm security partners GmbH, the BSI launched the “Code Analysis of Open Source Software” (CAOS) project in 2021. The project's task is to analyze vulnerabilities with the aim of increasing the security of open source software. The project is intended to support developers in creating secure software applications and to increase trust in open source software. The focus is on applications that are increasingly used by public authorities or private users. This new publication is the results of the follow-up project “Code Analysis of Open Source Software” (CAOS 2.0).
Further code analyses are planned to increase the security of open source software in the future. The project on “Code Analysis of Open Source Software” will be continued under the name CAOS 3.0. The results will also be published on the BSI website after a responsible disclosure procedure. This procedure allows developers a reasonable period of time to fix security vulnerabilities before they are published.*
