7ASecurity is proud to share the results of our security audit of Stork. Stork is an open source project developed by the Internet Systems Consortium (ISC) that acts as an administrative interface for monitoring, maintaining, and surveilling Kea servers. In collaboration with The Open Source Technology Improvement Fund, this project received custom security testing, documentation, and tooling contributing to Stork’s ongoing security and development work.
Audit Process:
An audit team of 8 experts from 7ASecurity carried out this engagement in September and October of 2025, working almost 37 working days to execute 6 work packages on the project. Using whitebox testing methods the auditors reviewed the Stork web frontend, backend, agents, auth logics, and APIs, performed a Supply-Chain Levels for Software Artifacts (SLSA) analysis, and executed a lightweight threat modeling exercise. The audit team also reviewed Stork’s dependencies management and created an SBOM that was given to the Stork team.
Audit Results:
- 7 Findings with Security Impact
- 2 High
- 4 Medium
- 1 Low
- 5 Hardening Recommendations
- Formal Threat Model
- Supply-chain security review
- Formal SBOM
The team supporting this audit from the Stork project were engaged and helpful partners, which clarifies and expedites complicated and large security engagements like this one for auditors. In the audit report conclusion, the auditors emphasized the positive impression left by the project with respect to Stork’s maturity, architecture, and development practices. The Stork team also created fixes for all 7 findings with security impact, which have been verified by 7ASecurity.
Thank you to the individuals and groups that made this engagement possible:
- Stork maintainers and community, especially: Andrei Pavel, Marcin Siodelski, Piotrek Zadroga, Slawek Figiel, Tomek Mrugalski, Vicky Risk, Wlodzimierz Wencel, and Yavor Peev
- OSTIF: Amir Montazery, Derek Zimmer, Helen Woeste and Tom Welter
- The ISC-“This audit was part of a project funded through the ICANN Grant Program. ICANN is a nonprofit public benefit corporation established in 1998. Its mission is to ensure a stable, secure, and unified global Internet by coordinating the allocation and management of Internet Protocol (IP) addresses, domain names, and protocol parameters.”
You can read the Audit Report HERE
You can read OSTIF’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to contactus@ostif.org. Follow https://lu.ma/ostif-meetups to subscribe to our OSTIF events page.
