A Critical Role In Transparency

Auditors help the general public verify, find issues in, and summarize the requirements and claims presented by an Openly Operated products. Transparency doesn't help gauge trustworthiness if very few people understand or have time to look through a product's public audit materials, so auditors help make sense of them, saving everyone time and effort.

Why Be An Auditor

  • A Safer Internet - By looking into and verifying the inner workings of apps and services, you can help secure the products that you use, and also recommend products to friends and family that you can personally vouch for.
  • Learn and Gain Experience - Because Openly Operated products are fully open source and open infrastructure, you can learn to be a better developer and architect by auditing and understanding how these products work.
  • Earn Money Or Credits - Auditors can do their work for free if they want, but they can also be compensated by the operator in different ways — an avid user of a product might get a free year or lifetime subscription, or the operator might simply pay an agreed sum of money for the audit.

Be An Auditor

Currently, the Openly Operated auditors consist of a handful of engineers that are familiar with the Openly Operated requirements, but we'll soon open it up to anyone who wants to audit, and we're now working out the best way to onboard new auditors and helping them through their initial audits. Be sure to sign up for the newsletter, and optionally also contact us here to let us know you're interested in joining the Auditor Early Adopter Program.

The Audit Process

Auditing process diagram

Once an auditor is matched with a product and its Audit Kit and Audit Template, the Openly Operated audit process begins:

  1. Understand the Product - Auditors need an understanding of the code architecture and infrastructure in order to properly audit the product. If they're not clear on how something works, they'll contact the operator for clarification. It's the operator's responsibility, not the auditors', to make sure they have sufficient understanding of how the product works.
  2. Fill Out Audit Report Template - Auditors follow the Audit Report Template they receive, performing the verifications on each page, documenting how the verification was performed and its results. For references on Openly Operated requirements, they can use the How To guide as a reference. Finally, any additional questions can be added to the document.
  3. Submit Draft - The draft audit report created from the Audit Template with the verifications, issues, and questions is submitted to the operators, CC-ing
  4. New Revision (optional) - If necessary, operators create a new revision that addresses the verifications, issues, and questions from the draft audit report. The revision number is increased by one, and the changes/additions are noted in the Revision History section. If code or infrastructure is updated, the Snapshot Date should be updated. The auditor goes back to Step 2 - Verifications, Issues, Questions, where the auditor can verify the new changes.
  5. Finalize Report With Executive Summary - Write a short, one paragraph executive summary answering the question of whether or not the product passed audit, and any major findings. Not all questions and issues have to be fully resolved before publication — the auditor and operator can both be satisfied with open issues or questions, as long the resulting report makes these issues and questions clear. The report is finalized when both the auditor and operator are satisfied with the latest Audit Kit revision. If the auditor and operator are unable to come to an agreement, the auditor can request that Openly Operated make the Audit Report public.
  6. Sign And Publish Final Report - The auditor PGP signs the final report (using detached-sign), and the Audit Report and its signature are published on, where the public can access and read it. If you're not familiar with PGP, you can get started by using GPG Tools — it's fast, simple, and free.

Auditing Tools

Since infrastructure audit logs can easily be many gigabytes, we built Open Watch, an open source tool that automatically parses through infrastructure logs to verify their integrity and look for violations of Openly Operated tenets. It's designed for infrastructure logs generated by Amazon Web Services' CloudTrail audit trail service, and it's used to help verify the audit logs of both this website and our proof-of-concept production consumer app, Confirmed VPN.

Openly Operated is a new certification/standard (April 2019), and it needs more tools to help making auditing faster, easier, and more reliable. Join our discussions to see what we're working on, and how you can help. Of course, we're always open to new ideas and suggestions.

The Near Future

Auditors play a very large role in the future of the internet. As more apps and services become open to improve privacy and security, their complex inner workings will require more dedicated specialists to both help find issues and increase public understanding in them. Technology companies today have both the responsibility and the resources to ensure every part of their products are properly and publicly audited.

Learn More

User Benefits A deeper look into the many benefits for users, with examples and references.

For Companies See why companies and businesses also benefit from being Openly Operated.

How To The requirements for Openly Operated products, and how to get started.

About Us Read about the values, mission, origin, and creators of Openly Operated.

Reports See live examples of Openly Operated products and their audit reports.

Get Involved Discuss Openly Operated, transparency, the future of the web, and any related topics.