{"slug": "kubeflow-audit-complete", "title": "Kubeflow Audit Complete", "summary": "The Open Source Technology Improvement Fund completed a security audit of Kubeflow, auditing six projects in its ecosystem with 14 findings including three critical vulnerabilities. The audit, performed by ADA Logics and supported by the Cloud Native Computing Foundation, included fuzzing, code review, and threat modeling. Kubeflow maintainers have addressed the issues, and users are urged to update to the latest release.", "body_md": "The **Open Source Technology Improvement Fund** is proud to share the results of our security audit of [Kubeflow](https://www.kubeflow.org/). Kubeflow functions for building and deploying customizable machine learning workflows in Kubernetes, and has many subprojects able to be implemented individually or in combination. Thanks to [ADA Logics](https://adalogics.com/) and the [Cloud Native Computing Foundation](https://www.cncf.io/), Kubeflow underwent a custom security engagement that audited 6 projects in the Kubeflow ecosystem.\n\n**Audit Process**:\n\nIn late summer of 2025, two security engineers from ADA Logics performed a holistic review of a selection of projects in the Kubeflow ecosystem: [Katib](https://www.kubeflow.org/docs/components/katib/overview/), [Trainer](https://www.kubeflow.org/docs/components/trainer/), [Spark Operator](https://www.kubeflow.org/docs/components/spark-operator/overview/), [Notebooks](https://www.kubeflow.org/docs/components/notebooks/), [Model Registry](https://github.com/kubeflow/hub), and [Pipelines](https://www.kubeflow.org/docs/components/pipelines/). These audits included CI testing, fuzzing work, thread modeling, code review, and supply chain security review for each of the projects. Read more about each project’s results in the audit report linked below.\n\n**Audit Results**:\n\n- 14 Findings with Security Impact\n- 3 Critical\n- 7 Moderate\n- 2 Low\n- 2 Informational\n\n- OpenSSF Scorecard assessments of all 6 projects\n- Custom threat modelling documentation for all 6 projects\n- Fuzzing implemented for 4 projects: Katib, Pipeline, Spark Operator, and Model Registry\n- Custom documentation of the audit scope, discovery, and findings with security impact.\n\nKubeflow maintainers and community worked to resolve and address the issues reported during this engagement. To take advantage of the work done, update to the most recent release of Kubeflow.\n\nAs machine learning rapidly advances and changes the open source environment, engagements that holistically engage with projects in Artificial Intelligence (AI) are important to the ecosystem. They create documentation about the security implications of a project at a given time in order to help maintainers with future development as well as educate users on safe and best practices in the code they are utilizing in AI.\n\n**Thank you** to the individuals and groups that made this engagement possible:\n\n- Kubeflow maintainers and community, especially: Julius Von Kojout, Matthew Wicks, Francisco Arceo, Humair Kahn, Jeff Spahr, Andy Stoneberg, and Andrey Velichkevich\n- ADA Logics: Adam Korczynski and David Korczynski\n- Cloud Native Computing Foundation\n\nYou can read the Audit Report **HERE**\n\nEveryone around the world depends on open source software. If you’re interested in supporting this critical work, [reach out to us](https://forms.clickup.com/90132124106/f/2ky4p4ea-3833/O6UZRESBTKJLR0VB72)!", "url": "https://wpnews.pro/news/kubeflow-audit-complete", "canonical_source": "https://ostif.org/kubeflow-audit-complete/", "published_at": "2026-06-24 15:29:54+00:00", "updated_at": "2026-06-24 15:40:41.670114+00:00", "lang": "en", "topics": ["machine-learning", "ai-safety", "ai-infrastructure"], "entities": ["Open Source Technology Improvement Fund", "Kubeflow", "ADA Logics", "Cloud Native Computing Foundation", "Katib", "Spark Operator", "Model Registry", "Pipelines"], "alternates": {"html": "https://wpnews.pro/news/kubeflow-audit-complete", "markdown": "https://wpnews.pro/news/kubeflow-audit-complete.md", "text": "https://wpnews.pro/news/kubeflow-audit-complete.txt", "jsonld": "https://wpnews.pro/news/kubeflow-audit-complete.jsonld"}}