Project post by the Vitess maintainers

The Vitess Maintainer team is pleased to announce the results of a recent third-party security audit of the Vitess code base.

Vitess had previously been audited in 2019. Given the amount of time that has passed, and the magnitude of change during that time, the maintainer team decided to request a fresh audit.

Starting in March 2023, an independent team from Ada Logics performed a full security audit of Vitess with a special focus on VTAdmin, which is a relatively new addition to Vitess.

Scope

The goals of the audit were to:

Outcomes

Some highlights from the report:

“Our overall assessment of VTAdmin is highly positive. VTAdmin follows secure design and code practices”

“The VTAdmin code is clean and well-structured, making it easy to understand and audit.”

“This professional response to security disclosures is an important element of well-maintained security policy.”

We are grateful to the Cloud Native Computing Foundation for sponsoring this audit, and to OSTIF for facilitating it.

Special thanks are due to Andrew Mason and Dirkjan Bussink for doing most of the remediation work, and to Adam Korczynski and David Korczynski of Ada Logics for conducting the audit.

You can read the full audit report here.