As one of the original Resource Labs, OTF has partnered with over 10 service providers over the course of the Red Team Lab’s history to provide in-kind offerings that strengthen the security of open source internet freedom software. The lab provides services that aid improvements of the software security of projects that advance OTF’s internet freedom goals through auditing services, public safety audits, cryptography services, forensic analysis, and other security services for software applications.
In 2021, OTF solicited proposals to refresh the Red Team Lab and engage information security professionals to add depth and provide additional services to ensure the people behind internet freedom tools have what they need to create a safer experience for people experiencing repressive information controls online. Following an extensive review of applicants, OTF is proud to partner with the following service partners:
- Cure53
- Include Security
- Radically Open Security
- Subgraph
- Trail of Bits
- 7asecurity
- Eaton Cybersecurity SAFE Lab
The Red Team Lab offers both security audits for app developers and maintainers needing an audit of their application, as well as public safety audits, which investigate concerns around applications that may be contributing to human rights violations or widespread surveillance efforts. Anyone can report an application with suspicious activity to the Red Team Lab and request a security audit of it.
Some examples of previous public safety audits conducted by OTF include:
- Study The Great Nation: an educational app by the Chinese Communist Party (CCP) which boasts technical capabilities beyond what it appears to do while maintaining a high level of access to a user’s device.
- IJOP: an app that the CCP police and other government officials use to communicate with the Integrated Joint Operations Platform, the main system Chinese authorities use for mass surveillance of Uyghurs and other Turkic Muslims in Xinjiang. The program aggregates data about people and flags those it deems potentially threatening, some of whom are then detained and sent to political education camps and facilities.
- Feng Cai: an app used by security forces in China to scan and collect a large amount of information from tourists or other travelers’ phones, with the data then uploaded to a local file server over clear-text HTTP without any protections.
OTF’s Red Team Lab has also completed security audits that have strengthened software security and improved confidence amongst community partners. This past year, OTF conducted a security audit of Hypha, an OTF project that has been developed by OTF and community partners for the past several years. This open source submission management platform worked with OTF service partner Radically Open Security to conduct an audit that assessed the security of Hypha by finding vulnerabilities and resolving those issues to ensure the continued safety and security of OTF applicants. As part of OTF’s commitment to transparency, the full audit can be read online.
Please visit the Red Team Lab page to learn more about the lab, the services offered, our partners, and the scope of their services. You can apply for support through the Red Team Lab by clicking here.
If you are a community member, information security expert, tool developer, or are interested in the Red Team Lab’s work, please do not hesitate to contact OTF’s Vice President of Security Sarah Aoun.