MikeMcQuaidHomebrew has had a paid security audit and addressed all flagged issues. This blog post has been a long time coming; apologies for the delay.
Here’s an overview of the timescale:
- 11th June 2020: The Mozilla Open Source program (MOSS) reaches out to Homebrew as we were nominated for a paid, sponsored security audit by Radically Open Security (ROS)
- 11th June 2020: Homebrew meets with ROS and provides the main areas of focus:
- macOS sandbox escapes
- CI/development workflow issues (e.g. ways to exploit our CI infrastructure or deploy changes that haven’t been reviewed)
- Bad uses/setting/checking of Unix permissions
- Formulae being able to modify the Homebrew/brew source process
- 18th June 2020: ROS meets with Homebrew to further discuss the audit, scope and process and provide access to ROS systems (e.g. GitLab, RocketChat)
- 23rd September 2020: MOSS and ROS confirm contract
- 14th October 2020: ROS begins security audit
- October 2020 - March 2021: ROS communicates issues to Homebrew which are resolved, e.g. with https://github.com/Homebrew/brew/pull/10970 and https://github.com/Homebrew/brew/pull/10972
- 31st March 2021: ROS provides final security audit report PDF to Homebrew
- 21st April 2021: Homebrew provides a related security incident disclosure based on follow-up work
- 16 August 2022: Homebrew adds final security audit report PDF to this page
Latest Posts
-
6.0.0
11 Jun 2026
Today, I’m proud to announce Homebrew 6.0.0. The most significant changes since 5.1.0 are a new tap trust security mechanism, the new faster, smaller, default internal...
-
5.1.0
10 Mar 2026
Homebrew 5.1.0 has been released. Homebrew’s most significant changes since 5.0.0 are expanded brew bundle support, brew version-install, new -full formula handling an...
-
5.0.0
12 Nov 2025
Today, I’d like to announce Homebrew 5.0.0. The most significant changes since 4.6.0 are download concurrency by default, official support for Linux ARM64/AArch64, tim...
-
4.6.0
05 Aug 2025
Today, I’d like to announce Homebrew 4.6.0. The most significant changes since 4.5.0 are opt-in concurrent downloads with HOMEBREW_DOWNLOAD_CONCURRENCY, preliminary ma...
-
4.5.0
29 Apr 2025
Today, I’d like to announce Homebrew 4.5.0. The most significant changes since 4.4.0 are major improvements to brew bundle/services, preliminary Linux support for cask...