{"slug": "cortex-audit-complete", "title": "Cortex Audit Complete!", "summary": "The Open Source Technology Improvement Fund announced the completion of a security audit of Cortex, an open-source storage for Prometheus and OpenTelemetry. Conducted by Quarkslab and supported by the Cloud Native Computing Foundation, the audit found seven security issues (six medium, one low), all of which have been fixed. The project recommends updating to the latest release.", "body_md": "The **Open Source Technology Improvement Fund** is proud to share the results of our security audit of[ Cortex](https://cortexmetrics.io/). Cortex functions as a long-term, multi-tenant scalable open source storage for Prometheus and OpenTelemetry. Thanks to [Quarkslab](https://www.quarkslab.com/) and the [Cloud Native Computing Foundation](https://www.cncf.io/) (CNCF), Cortex received custom review and documentation for current and future security development.\n\n**Audit Process**:\n\nIn early spring of 2026, two auditors from Quarkslab reviewed the overall security posture of Cortex using whitebox code review methods. First, they undertook a period of discovery, followed by studying the previously created threat model and alignment with project maintainers. Once an understanding of the project and its threat vectors was reached, the audit shifted to a period of code review with static analysis and finally dynamic testing. The focus of this work was around the security health of the tenant boundary and cluster operations. That means interrogating the confidentiality, integrity, and availability of those two functions.\n\n**Audit Results**:\n\n- 7 Findings with Security Impact\n- 6 Medium\n- 1 Low\n\n- Custom Project Documentation\n- Fix Recommendations\n- Recommendations for Future Security Development\n\nThe report documents the positive impressions of the auditors as well as insights to the project’s strengths and overall risk areas. All seven findings identified by this work have undergone verified fixes, so update to the most recent release of the Cortex project to take advantage of the work performed by the maintainers and auditors in this engagement. If you would like to learn more about Cortex or contribute, see their [website](https://cortexmetrics.io/docs/) for more information.\n\n**Thank you** to the individuals and groups that made this engagement possible:\n\n- Cortex maintainers and community, especially: Daniel Blando\n- Quarkslab, especially: Pauline Sauder\n- Cloud Native Computing Foundation\n\nYou can read the Audit Report **HERE**\n\nRead the Audit Fix Response **HERE**\n\nEveryone around the world depends on open source software. If you’re interested in supporting this critical work, [reach out to us](https://forms.clickup.com/90132124106/f/2ky4p4ea-3833/O6UZRESBTKJLR0VB72)!", "url": "https://wpnews.pro/news/cortex-audit-complete", "canonical_source": "https://ostif.org/cortex-audit-complete/", "published_at": "2026-07-06 14:00:44+00:00", "updated_at": "2026-07-07 01:18:30.549767+00:00", "lang": "en", "topics": ["ai-infrastructure", "ai-safety"], "entities": ["Open Source Technology Improvement Fund", "Cortex", "Quarkslab", "Cloud Native Computing Foundation", "Prometheus", "OpenTelemetry", "Daniel Blando", "Pauline Sauder"], "alternates": {"html": "https://wpnews.pro/news/cortex-audit-complete", "markdown": "https://wpnews.pro/news/cortex-audit-complete.md", "text": "https://wpnews.pro/news/cortex-audit-complete.txt", "jsonld": "https://wpnews.pro/news/cortex-audit-complete.jsonld"}}