Cortex Audit Complete! The Open Source Technology Improvement Fund announced the completion of a security audit of Cortex, an open-source storage for Prometheus and OpenTelemetry. Conducted by Quarkslab and supported by the Cloud Native Computing Foundation, the audit found seven security issues (six medium, one low), all of which have been fixed. The project recommends updating to the latest release. The Open Source Technology Improvement Fund is proud to share the results of our security audit of Cortex https://cortexmetrics.io/ . Cortex functions as a long-term, multi-tenant scalable open source storage for Prometheus and OpenTelemetry. Thanks to Quarkslab https://www.quarkslab.com/ and the Cloud Native Computing Foundation https://www.cncf.io/ CNCF , Cortex received custom review and documentation for current and future security development. Audit Process : In early spring of 2026, two auditors from Quarkslab reviewed the overall security posture of Cortex using whitebox code review methods. First, they undertook a period of discovery, followed by studying the previously created threat model and alignment with project maintainers. Once an understanding of the project and its threat vectors was reached, the audit shifted to a period of code review with static analysis and finally dynamic testing. The focus of this work was around the security health of the tenant boundary and cluster operations. That means interrogating the confidentiality, integrity, and availability of those two functions. Audit Results : - 7 Findings with Security Impact - 6 Medium - 1 Low - Custom Project Documentation - Fix Recommendations - Recommendations for Future Security Development The report documents the positive impressions of the auditors as well as insights to the project’s strengths and overall risk areas. All seven findings identified by this work have undergone verified fixes, so update to the most recent release of the Cortex project to take advantage of the work performed by the maintainers and auditors in this engagement. If you would like to learn more about Cortex or contribute, see their website https://cortexmetrics.io/docs/ for more information. Thank you to the individuals and groups that made this engagement possible: - Cortex maintainers and community, especially: Daniel Blando - Quarkslab, especially: Pauline Sauder - Cloud Native Computing Foundation You can read the Audit Report HERE Read the Audit Fix Response HERE Everyone around the world depends on open source software. If you’re interested in supporting this critical work, reach out to us https://forms.clickup.com/90132124106/f/2ky4p4ea-3833/O6UZRESBTKJLR0VB72