ossf · micmarti85 · Oct 7, 2024 · Sep 30, 2024
@@ -17,6 +17,8 @@ This engagement started in February 2024.
 * [May 2024](update-2024-05.md)
 * [June 2024](update-2024-06.md)
 * [July 2024](update-2024-07.md)
+* [August 2024](update-2024-08.md)
+* [September 2024](update-2024-09.md)
 
 ### Primary Contacts
 

@@ -0,0 +1,43 @@
+# Update 2024-09
+
+## Organizations
+
+We are making steady progress and continue to aim for the end of November to have the feature ready for users.
+
+### Maintainer Role
+
+* Maintainer role code is ready to merge pending documentation for using the featuer.
+* We will publish the feature along with the documentation when both are ready.
+
+### Organizations
+
+* The onboarding model, supporting a user to create an organization, is in progress.
+* As we work on implementing the details of the onboarding process, we are working through some of the implications of the design.
+* The organization designs are partially implemented on the site.
+* The organization designs incorporate our new design templates and add highly requested features like dark mode and an improved user interface that highlights more important information.
+* We will begin rolling out the new design template with the organizations feature.
+
+### Next steps:
+
+* Finish the pages for viewing an organization.
+* Continue work on the onboarding process and ability to edit and manage the organization.
+* Start adding test users once the permission system and organization pages are ready.
+
+## Audit
+
+The audit is completed and the draft report was delivered September 9th, 2024.
+
+* We have reviewed the report with the Trail of Bits team.
+* The report details 33 findings, mostly low severity or informational.
+* 7 findings were considered medium severity, and 1 finding was labeled high severity.
+* Samuel and the rest of the team have taken the findings and are responding with fixes and/or explanations that explain why a fix is not necessary.
+
+One important finding of this audit is that our effort to continue to convert our infrastructure to Terraform would pay large dividends in security.
+However, this project is a large undertaking that will require a larger monetary and time investment above and beyond the baseline maintenance supported by our current funding.
+
+### Next steps:
+
+* Addressable security concerns will be remediated and fixes deployed.
+* A response document is being drafted that responds to each finding.
+* When we are ready to mark each of the items as complete, we will contract with ToB for a further fix review.
+* After the fix review is incorporated into the report, we will coordinate with ToB to publish the report.