Hyperledger Fabric 1.0 Release Process – Hyperledger Foundation 2025 Update: Off to a Fast Start! Read on → Search Join About About Explore membership Members Technical Advisory Council Governing Board Speakers Bureau Staff FAQ Store Contact us Technologies Ledger technologies Interoperability Integration & implementation Decentralized identity Cryptographic tools & protocols Project matrix Labs All projects Deploy Certified service providers Vendor directory Training partners Participate Why get involved? How to contribute Contribute to code Host your project with us Regional chapters Special interest groups Job board Resources Linux Foundation ID Logos & guidelines Trademarks & guidelines Charter Code of conduct Github repos Discord Wiki Mailing lists Report a security bug Learn Case studies Training & certifications Use case tracker Member webinars Insights News Blog Announcements Newsletters Events Events Meetups Meeting calendar Join Follow Us Blog Hyperledger Fabric 1.0 Release Process Hyperledger | Feb 7, 2018 By David Huseby, Hyperledger Security Maven As an open source project  that is part of the Linux Foundation, Hyperledger takes on a great deal of responsibility to deliver software using a process that is transparent, proactive, and uses the best security practices. This blog post is about the release process for Hyperledger projects reaching the version 1.0 milestone. It is the first in a series focused on the Hyperledger security regime. The next post in this series will focus on everything we do to make good on the promise of open source software being more secure. When Hyperledger Fabric 1.0 was released on July 11th, 2017 several administrative initiatives were under way. The first of these was an audit of the source code to determine the open source licenses the software was under. Hyperledger uses the Apache 2.0 License for all of its original software and strives to only depend on other code licensed under the same or equally compatible licenses. The second initiative was a cryptography export audit conducted by the Software Freedom Law Center. Despite a victory in the “crypto wars,” since blockchains require heavily on the latest cryptography, we still have a reporting requirement for all cryptography that we include in our software. The third initiative was an outside security audit. The Hyperledger team contracted an outside firm named Nettitude to do an independent audit of the Fabric source code. The purpose was to get confirmation of the soundness of the software and to establish a baseline for its security.  The team at Nettitude did a great job going through the source code and attempting penetration tests and running fuzzing processes against Fabric. “Nettitude is delighted to have had the opportunity to work with The Linux Foundation to assess the security of their Hyperledger Fabric blockchain software. This was an exciting and timely piece of work, in a field which Nettitude had already identified as one of our security research priorities.” The end results of the audit showed only a couple medium grade security issues that have since been mitigated. One issue was a general lack of comments in the code that documented the expected behavior of the code. This is an important detail because programmers can look at the code and figure out what it does, but bugs lurk in the difference between what the original programmer intended and what the code actually does. Having thorough comments in the code helps reduce the risk of a security regression occurring during future software maintenance work.   The other issue was focused on the general security of the Docker container used to execute chain code. The principle of least authority dictates that the Docker container should be restricted and isolated as much as possible. Today, we are finally publishing the Hyperledger Fabric 1.0 security audit report. We have published the technical report and the management report documents. This process will be applied to all of the other Hyperledger projects as they reach the 1.0 milestone.. The next project to go through it is Hyperledger Sawtooth. The license, crypto, and security audits for Sawtooth have already been completed and readers should expect its 1.0 release in the very near future. Stay tuned for the follow up with the Sawtooth security audit report.If you would like to help us make great software, the Hyperledger community has organized meetups and hackfests all over the world. If you find a security issue please report it to security@hyperledger.org. You can find an upcoming event near you by visiting our events page here: https://hyperledger.org/events. We’ll also be talking at RSA this year in April in San Francisco. Director of Ecosystem, Marta Pierkarska and I will present “Blockchain-the new black. What about enterprise security?” We hope to see you there! View previous blog post Back to all blog posts View next blog post The latest community news in your inbox Select the checkboxes below for the monthly decentralized digest and dev/weekly newsletters About LF Decentralized Trust The Linux Foundation's flagship organization for the development and deployment of decentralized systems and technologies. About Members TAC Governing board Speakers bureau Staff FAQ Contact us Technologies Ledger technologies Interoperability Integration & implementation Decentralized identity Cryptographic tools & protocols Project matrix Labs Participate Why get involved? How to contribute Contribute to code Host your project with us Regional chapters Special interest groups Job board Deploy Certified service providers Vendor directory Training partners Resources Linux Foundation ID Logos & guidelines Trademarks & guidelines Charter Code of conduct Github repos Discord Wiki Mailing lists Report a security bug Learn Case studies Training & certifications Use case tracker Member webinars Insights Events Events Meetups Meeting calendar News Blog Announcements Newsletters Meeting Calendar Copyright © 2025 The Linux Foundation®. All rights reserved. LF Decentralized Trust is a trademark of The Linux Foundation. For a list of LF Decentralized Trust's trademarks, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use.