Celebrating our 2024 open-source contributions

Trail of Bits
blockchain, compilers, cryptography, llvm, machine-learning, open-source, reversing, supply-chain

While Trail of Bits is known for developing security tools like Slither, Medusa, and Fickling, our engineering efforts extend far beyond our own projects. Throughout 2024, our team has been deeply engaged with the broader security ecosystem, tackling challenges in open-source tools and infrastructure that security engineers rely on every day.

This year, our engineers submitted over 750 pull requests that were successfully merged (a 67% increase over our 2023 contributions!) with improvements across more than 80 open-source projects, ranging from foundational cryptography libraries to package managers and software indexes. Each contribution is a response to real-world security engineering challenges—when we encounter limitations in critical tools, we dig in and improve them. When we discover ways to strengthen security primitives everyone depends on, we implement those improvements upstream where they benefit the entire community.

Some of these changes may seem small in isolation—a more robust parser here, better error handling there—but together, they represent meaningful improvements to security tooling that thousands of engineers depend on. From hardening package signing workflows to enhancing fuzzing capabilities, each contribution helps build a more secure foundation for everyone.

Let’s dive into some of the key contributions we made in 2024.

Key contributions

  • LLVM: We made improvements to MLIR and AddressSanitizer. For example, we added detection of C++ container overflows for std::string and std::deque containers. Read more about this in our blog post “Sanitize your C++ containers: ASan annotations step-by-step.”
  • pwndbg: pwndbg is a GDB and LLDB plugin that helps with reverse engineering and exploit development. Our engineers have continued maintaining the project, fixing numerous issues and merging numerous new features such as an LLDB port, a Binary Ninja integration (see the pull request), and better support for embedded devices.
  • hevm: hevm is an implementation of the EVM supporting both symbolic and concrete execution, which we use as the basis for Echidna. Throughout 2024, we contributed several performance improvements, added support for new Cancun opcodes, and implemented multiple new cheatcodes to improve the testing experience.
  • Post-quantum cryptography: We released open-source implementations of two post-quantum digital signature schemes that have been standardized by NIST, helping to improve the overall community support of post-quantum cryptography. We released both Go and Rust versions of these standards, and the Rust versions have been integrated into RustCrypto.
  • OSS-Fuzz: OSS-Fuzz is a continuous fuzzing tool for open-source software projects. We added support for Ruzzy, our coverage-guided fuzzer for Ruby and Ruby C extensions.
  • Python packaging ecosystem: We continued our contributions to the Python packaging ecosystem, implementing PEP 740 and numerous other supply chain security improvements. Read more about these in our blog post “Attestations: A new generation of signatures on PyPI.”

The pull requests listed here capture the technical changes, but they don’t tell the whole story. Behind each merged pull request is a community of maintainers who reviewed our code, suggested improvements, and carefully considered the long-term implications of each change. These maintainers carry the real weight of open-source development—ensuring consistency, maintaining test coverage, and preserving compatibility across years of changes.

Many of our contributions started from limitations in open-source projects that we encountered during security assessments or tool development. Rather than building workarounds for these limitations, we chose to address them upstream, improving tools that the entire security community relies on. We’re able to do this work because we stand on the shoulders of giants—the maintainers and contributors who built and nurture these critical projects.

To every maintainer who reviewed our pull requests, every developer who provided feedback, and every engineer working to improve the security ecosystem—thank you. Here’s to another year of collaborative security engineering!

Some of Trail of Bits’ 2024 open-source contributions

AI/ML

Cryptography

Languages and compilers

Libraries

Tech infrastructure

Software testing tools

Blockchain software

Reverse engineering tools

Packaging ecosystem/supply chain

Others