Termux Selected For GitHub Secure Open Source Fund Session 2

Created: 2025/08/11

During June 2025 Termux team members Agnostic Apollo and Henrik Grimler participated in the Session 2 of the GitHub Secure Open Source Fund program, together with maintainers from ~50 other open source projects. The program has been one of GitHub ways to work towards increasing security and security awareness in open source projects. You can read GitHub's announcement about the program at https://github.blog/open-source/maintainers/securing-the-supply-chain-at-scale-starting-with-71-important-open-source-projects.

In this post we will describe what we learnt, did and plan to do.

What We Learnt

The program was only 3 few weeks long, but touched on many important concepts, including but not limited to:

Licenses and license compliance.
Security advisories.
Security incident responses.
Threat modelling.
Securing GitHub Actions.
Securing code with CodeQL and code scanning.
Secure UX design.
AI and MCP security.
Securing code with the help of GitHub Copilot.
Securing and testing code with Fuzzing.

What We Did

Even though Termux has already done a security disclosure once before, the program helped us learn how to go through this process a bit more formally. As part of the program:

Learnt how to assign a Common Vulnerability Scoring System (CVSS) score and request a Common Vulnerabilities and Exposures (CVE) ID from GitHub itself.
Published our Security Policy and Security Incident Response Checklist to formalize the process of reporting vulnerabilities to Termux and how we should handle them. These are linked in the SECURITY.md files of our repositories, like termux-app and termux-packages.
Added a dedicated security category for posts on our site instead of mixing them under general posts. (1)
Added CodeQL GitHub Action workflow to scan GitHub Actions scripts of termux-packages repository, it will be added for other repositories in future. OpenSSF Scorecard that we learned about may be used as well. (1)
Add Dependency Submission GitHub Action workflow for automatic dependency submission for Termux app for gradle builds so that Software Bill of Materials (SBOM) can be generated, which also enabled dependency vulnerability reporting in the repository Security tab. (1)

What We Plan To Do

The program and our work on security enhancements is not over just yet, it will continue on until the abyss consumes us. We plan to look into the following in future:

Add a threat model for Termux app and plugins and our repo servers. This couldn't be done during the 3 week program as formally evaluating and writing docs for all would take days and weeks of work as our project scale is too wide, so will be done later. Currently, we normally discuss threats in pulls and issues when things are getting implemented.
The power and greatness of CodeQL cannot be denied and is something we can leverage to secure our open source projects. It can be used to scan security issues in code based on published Common Weakness Enumerations (CWE), and using custom CodeQL for additional vulnerability detection would be really helpful too, for both our apps and libraries.
Adding fuzzing based testing to Termux APIs and libraries, but it may need to be restricted to a small set of APIs that are tested or with limited inputs, as there seems to be resource consumption issues, will have to research into how large projects use it.
Look into adding Termux app version name, Android release version and other Termux specific runtime and build info into user agent used by apt/pkg commands when downloading packages from our repository servers with an opt out. Currently only Termux package and prefix build values are sent. This should give us info on the distribution of Termux/Android versions among users and can help us better gauge the security impact of vulnerabilities. It will also help us know the usage metrics of third party apps using Termux execution environment and packages when Dynamic Variables support is added. Any user uniquely identifiable info will not be sent of course.

Thanks!

The GitHub SOSF program has been the catalyst we needed to formalize our security procedures and its learnings have made us more aware of the many ideas and GitHub toolings we can use to improve the security of our project. - agnostic-apollo

We want to thank the GitHub and Microsoft staff, especially from the GitHub Security Lab for sharing their knowledge and helping us grow, as well as all the program funders for making the program possible. A big shout out to all the other projects that participated in the program as well, there has been a lot we were able to learn from each other, and help each other with!