• Announcements
• Thunderbird Mobile

K-9 Mail Collaborates With OSTIF, 7ASecurity On Security Audit

Our journey to transform K-9 Mail to Thunderbird for Android involves more than just improving the user interface and adding new features. K-9 Mail is already an important part of the open source ecosystem on Android, and because it lays the foundation for the future of Thunderbird on Android, we believe it’s important to invest in the security health of the software. 

To that end, we recently enjoyed a collaboration with the Open Source Technology Improvement Fund (OSTIF) and 7ASecurity on an extensive security audit of K-9 Mail. 

A team of six auditors at 7ASecurity worked diligently to identify and address any potential security or stability issues found in K-9 Mail. The audit focused specifically on threat modeling, fuzzing (a technique that simulates real-world scenarios where software might encounter unexpected or malicious inputs), and our software supply chain. 

We are happy to report that zero high-risk vulnerabilities were found. The security audit did uncover a handful of low-to-medium risk vulnerabilities, the majority of which the K-9 Mail team has already resolved or is in the process of addressing. 

Additionally, we’re very pleased to share this promising conclusion from OSTIF:

“[Mozilla] has an incredible foundation to begin this new chapter with, as the report notes seven wide-ranging points of secure and healthy practices and conditions of K-9 Mail that the 7ASecurity team evidenced during the engagement.”

Amir Montazery, OSTIF

The entire process was educational and productive, and we sincerely appreciated working with such professional and knowledgeable teams. We’d like to extend our deepest thanks to everyone at OSTIF, including Amir Montazery, Ashley Leszkiewicz, and Derek Zimmer, who were instrumental in orchestrating a smooth experience. 

And our sincerest gratitude goes out to Abraham Aranguren, Dariusz Jastrzębski, Daniel Ortiz, Dr. Miroslav Štampar, Óscar Martínez, and Patrick Ventuzelo at 7ASecurity for their hard work and attention to detail. 

“OSTIF has a strong understanding of how open source projects operate, and we really appreciated that they were able to jump in and help us coordinate this security audit of our K-9 Mail software. OSTIF and 7ASecurity were amazing partners that provided a helpful guiding hand, and made the process of doing the audit a breeze. We really appreciated their professionalism and expertise. I can confidently say that we plan on working with them again.”

Ryan Sipes, Thunderbird Product and Business Development Manager.

RESOURCES

• Download and read the full report here
• Read the blog post from OSTIF
• Read the blog post from 7ASecurity
• Learn more about Thunderbird for Android