It’s open-source. You can view the code base on github if you wish. https://github.com/oasisprotocol . It has been audited, but there are to my knowledge at least, no public reports. You can find it here: https://github.com/trailofbits/publications#blockchain-reviews 

There’s also an open website for bounties that tracks the history of the Oasis Network in relation to bugs being found and addressed: https://hackerone.com/oasis_protocol_foundation?view_policy=true