Name		Name	Last commit message	Last commit date
parent directory ..
README.md		README.md
update-2024-01.md		update-2024-01.md
update-2024-02.md		update-2024-02.md
update-2024-03.md		update-2024-03.md
update-2024-04.md		update-2024-04.md
update-2024-05.md		update-2024-05.md
update-2024-06.md		update-2024-06.md
update-2024-07.md		update-2024-07.md
update-2024-08.md		update-2024-08.md
update-2024-09.md		update-2024-09.md
workflow1.png		workflow1.png
workflow2.png		workflow2.png

README.md

Alpha Engagement: OpenRefactory

OpenRefactory thanks Alpha-Omega for supporting the project to report vulnerabilities at scale.

OpenRefactory will work alongside with Alpha-Omega project’s principals to report security vulnerabilities at scale in open source projects and work with the maintainers to get the vulnerabilities fixed:

OpenRefactory will analyze open source software written in two languages: Java and Python. The goal is to analyze top 10,000 open source projects in these languages with OpenRefactory’s own Intelligent Code Repair (iCR) tool as well as the Omega Analyzer.
OpenRefactory will concentrate on the following critical security categories: SQL Injection, Cross-Site Scripting (XSS), Command Injection, Path Manipulation, Deserialization, XML External Entity (XXE) Injection. In future, the proposed work will extend into security hardening and other kinds of bugs as well.
OpenRefactory will use a portal to triage bug reports from their proprietary tool iCR (Intelligent Code Repair) and other tools from the Omega toolchain.
Reports will include a range of problems which will require manual review.
OpenRefactory will triage manually and follow the model outbound vulnerability disclosure policy to report the bugs in a responsible manner.
OpenRefactory will follow the submissions and work with the maintainers to correct the issues.

The following KPIs will be tracked:

The total number of projects that have ben analyzed
The total number of issues that have been reported as True Positives
The number of those reported issues for which exploit code was created
The number of those reported issues for which fixes have been generated
How many reports have been accepted?
How many reports have been rejected?
The number of "clean" projects where no security issues were uncovered

Timeline

This engagement started in July 2023. Reports for 2023 are available here: https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2023/OpenRefactory

Monthly Updates

Primary Contacts

Munawar Hafiz - CEO, OpenRefactory
Ataf Ahmed - Secure Software Engineer, OpenRefactory

Announcements / News

Blog post on early results: How to serve open source maintainers without annoying them?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenRefactory

OpenRefactory

README.md

Alpha Engagement: OpenRefactory

Timeline

Monthly Updates

Primary Contacts

Announcements / News

Files

OpenRefactory

Directory actions

More options

Directory actions

More options

Latest commit

History

OpenRefactory

Folders and files

parent directory

README.md

Alpha Engagement: OpenRefactory

Timeline

Monthly Updates

Primary Contacts

Announcements / News