In case anyone is interested - it's nice to have some positive feedback
from a security researcher. Good work, Jan.
There's a pdf report with the original mail which is too large to send on
this list. If anyone wants it, please let me know.
-d
--- Forwarded message ---
From: Derek Zimmer de...@ostif.org
Date: May 20, 2025 22:16:47
Subject: log4net security audit publishing
To: dav...@gmail.com
Hello Davyd,
I'm Derek, founder of OSTIF. We conduct security research on open source
projects for free.
I just wanted to let you know that one of our teams reviewed log4net and
had no security findings. We also had a look at log4cxx and had a few
noteworthy things, so we will be publishing our work related to that and
the fixes that are now in place.
Because log4net will be mentioned in the doc, even though there are no
findings related to your project, I wanted to make sure that we gave you a
heads up before publishing. If you could pass it along to Jan as well that
would be helpful. They have their email hidden in GitHub so we can't reach
out directly.
The report which mentions your project is attached. (This was a very short
engagement, so no findings doesn't mean perfect code, but it does mean that
there's nothing low-hanging issues or obvious logic problems to the audit
team based on what log4net does and the threat model.)
We will publish our work soon.
Keep up the good work!
All the best,
Derek Zimmer
Executive Director
Open Source Technology Improvement Fund
Schedule a meeting with me anytime: https://calendly.com/derek-ostif
