What is the purpose of the Red Team Lab?
By offering 3rd party services and direct funds, this lab strives to strengthen the security of open-source Internet freedom software by:
- Providing professional security audits,
- Supporting bug bounties,
- Validating the privacy and security claims of software projects, and
- Advancing projects’ software security best practices.
The lab focuses on improving the software security of projects that advance OTF’s Internet freedom goals by ensuring that code, data, and people behind the tools have what they need to create a safer experience for people experiencing repressive information controls online. The primary work of this lab is reactive, reviewing and responding to issues in pre-existing software. All of this work will be conducted either by service partners or applicants themselves—with triage and oversight by OTF.
Challenges the lab seeks to address
- The people who need Internet freedom software have already been targeted and have already become vulnerable before they use a tool that increases their attack surface.
- There are a number of high-impact software projects that many people in repressive countries depend on, who don’t regularly have security audits or have a bug bounty, because the cost of high-quality security audits and bug bounties is prohibitive.
- There are a lot of claims made by new and old software projects that are hard to verify without a professional review and an audit of the code behind the effort.
- Being a competent software developer doesn’t always mean the same thing as being a competent security researcher who can think like an adversary.
- There are a growing number of applications submitted to our other funds that are in situations in which OTF would prefer to see the results of a security audit before considering funding further.
- In the early stage of efforts, developers often don’t know who they can turn to for security design and architecture advice.
- A growing number of projects with goals that are within our Internet freedom remit are only looking to OTF for support of a security-related objective that is very specific and minimal in terms of the time, money, or other resources that are needed, and, as such, doesn’t warrant the burdensome application process of our other funds (but would have a notable impact).
- There are additional costs associated with supporting service providers through each project individually versus making arrangements with providers on behalf of the field of practitioners advancing Internet freedom within OTF’s remit (and then getting volume discounts).
Who will the Red Team Lab support?
The lab will prioritize supporting these projects:
- Current and past Internet freedom efforts supported with public funds from OTF, BBG, the Department of State; and,
- Efforts that fit with OTF’s overall mission and goals but, for various reasons, may not be current or previous supported Internet freedom efforts.
In response to the above challenges, the lab will provide specific short-term support to people or organizations representing software projects conducting work within OTF’s Internet freedom remit who apply. The lab will offer access to services made available by 3rd party consultants OTF has contracted with, or to the lab’s service providers, or will offer funds directly to applicants who demonstrate the ability to accomplish the work themselves. The ideal applicant is a software developer, project lead, systems administrator, or an information security technologist who can speak on behalf of a software project that has the ability to adequately respond to and maintain the lab’s output after the support is concluded.
If an applicant appears to be unable to respond or be responsible for the outputs of the lab-supported effort, the application may not be considered competitive, may be dismissed, and/or may be directed to apply to one of OTF’s other more appropriate funds.
What kinds of outcomes will the Red Team Lab support?
This lab could be useful for software projects who:
- Want the funds or people to conduct a professional security audit of their software;
- Are looking for funds or people to implement remediation/fixes to known software vulnerabilities
- Have the internal capacity to support or host their own bug bounty program, but need funds;
- Don’t have the internal capacity to support a bug bounty program and are happy to deploy a hosted bug bounty program such as HackerOne or BugCrowd; or
- Need the funds or people for a one-off security architecture and design review in the early stages of a project from a trusted and capable 3rd party.
The lab does not focus on the ongoing development of new features (including software maintenance) in existing software, the creation of brand new tools, emergencies and other rapid response needs, or support of the underlying infrastructure of a project. The Internet Freedom Fund, Core Infrastructure Fund, Rapid Response Fund, or Engineering Lab are the more appropriate support mechanisms for these needs.
Below are a selection of scenarios to illustrate the focus of the Engineering Lab versus that of other OTF funds:
- An Internet freedom project seeking a security audit would be supported through the Red Team Lab.
- An Internet freedom project seeking support to start a new bug bounty program to pay researchers for found vulnerabilities would be supported through the Red Team Lab.
- An Internet freedom project looking for short-term support for remediation of known vulnerabilities would be supported through the Red Team Lab.
- Ongoing operating expenses for secure hosting services would be supported through the Engineering Lab.
- Advancing the functionality and features offered by a security- or privacy-enhancing library used by other software projects would be supported through the Core Infrastructure Fund.
- A human rights reporting app being actively targeted by censors, which wants support for a discrete, one-off effort to integrate privacy-enhancing or circumvention technology into the app, would be supported through the Engineering Lab.
- A new security tool that needs to be created to solve a problem experienced by people in a repressive country would be supported through the Internet Freedom Fund.
Coming soon :-)
How will the lab offer these services?
Retain service partners
Requested services and criteria for partners will be developed on an ongoing basis with feedback from lab applicants and the broader Internet freedom field. As needed, we will make Request for Partner opportunities available to ensure that we’re able to offer what is needed.
Offer an open application
We will continue to make an always open application form available. The form will ask questions to ensure that the applicant’s overall effort is within remit, that they are requesting services we are capable of offering, and that they are capable of responding and maintaining what we provide after OTF support.
- Applicant applies directly to OTF, or a service partner applies to OTF on behalf of a project or organization.
- OTF reviews the application.
- OTF and the applicant amend/edit the application as needed.
- If the application is not from a service partner:
- OTF approves the request for pre-scoping feedback with service partners.
- OTF sends the application to service partners for their feedback and identifies who’s best to conduct the effort (availability, capacity, skills, etc).
- OTF and the applicant may need to amend/edit the application again before final approval with the service partner.
- Work is conducted.
- OTF receives a read-out from the service partner or applicant once the effort has been concluded.
- An invoice for the effort is sent to OTF from service partner or applicant.
- The effort is concluded.
Who are the Lab’s service partners?
Questions, comments, or feedback?
The best place to start is to review, join, and add to the public discussion at we.opentech.fund. If there is a need to contact us directly, feel free to email [email protected].