In 2024 the FreeBSD Project undertook one main project and two minor ones:
Major: A code audit of two significant subsystems (the bhyve hypervisor, and the Capsicum sandboxing framework).
Minor: An initial Process Audit and an MFA (Multi-Factor Authentication) pilot.
All projects are complete, with the exception of the MFA project which remains paused as previously announced, allowing the community to focus on existing projects.
This project was completed in November 2024.
The Process Audit is complete. It was created by FreeBSD Foundation staff who ran an outreach exercise to gather information about the current FreeBSD development process. The teams consulted were:
Information was gathered through an online long-form survey which was structured around existing frameworks for analysing security in software development. Teams were asked to describe current development processes and appraise the current security practices, as well as to make suggestions for improvements.
The responses were collated and synthesised into the report by Foundation staff. The report was reviewed for accuracy by the original respondents.
The report will now be made available to the Security Team and other teams previously mentioned, as well as to the Foundation executive team. This will be a useful tool in identifying areas for investment and prioritisation going forward as more security projects are planned and funded.
The report is intended primarily for FreeBSD Project and Foundation planning purposes and as such there is no plan to promote it to an external audience. Interested readers should contact the Security Team to request a copy of the report.
As announced in September, the Multi-Factor Authentication project remains paused until 2025. This decision continues to support the community's focus on existing projects and ensures a sustainable pace of work.
The FreeBSD Security Team oversees the identification, mitigation, and disclosure of security vulnerabilities within the FreeBSD operating system. They provide timely security advisories, coordinate responses to reported vulnerabilities, and maintain a comprehensive security infrastructure to safeguard FreeBSD systems. Users can access security advisories, security officer reports, and information on security policies and best practices to ensure the security and integrity of their FreeBSD deployments.
The FreeBSD vulnerability reporting and disclosure policy provides guidelines for responsible disclosure, including how to securely communicate vulnerabilities to the FreeBSD Security Team. Additionally, it details the process followed by the Security Team for evaluating, addressing, and disclosing reported vulnerabilities, ensuring timely and transparent handling of security issues within the FreeBSD community.