summary 2 Project Summary 3 Audit Scope 4 Threat model 5 Fuzzing 15 Issues found 17 SLSA 43 Supply-chain mitigations 45 1 Dapr security audit 2023 Executive summary In May and June 2023, Ada Logics the conclusion of the audit. An area for future work on Daprs security posture is its so�ware supply-chain. The SLSA review showed that Dapr is lacking a compliant provenance attestation alongside release We also included recommendations on how Dapr can ensure the quality and integrity of its own supply-chain via its dependency tree. 1 CVE-2023-37475 2 Dapr security audit 2023 Results summarised 7

Over the last handful of years, CNCF has been investing in security audits, fuzzing and so�ware supply chain security that has helped proactively discover and fix hundreds of issues. Fuzzing is a proven

CERTIFICATE-----\ nMIIBozCCAUmgAwI….2S6OsYalzqlaAc78Rk\n-----END CERTIFICATE-----\n"}, {"name": "DAPR_CERT_CHAIN", "value": "-----BEGIN CERTIFICATE-----\nMIIBajCCA….OH9yHYhLm\n----- END CERTIFICATE-----\n"}