Topic: Kristov Atlas' Bitmessage security audit (Read 1520 times)
What is the status of the security audit? Is it complete yet?
Mike,
We've stated our position, and we intend to proceed as planned.
Thank you and your group for the work you all provide to the Bitcoin community.
We've stated our position, and we intend to proceed as planned.
Thank you and your group for the work you all provide to the Bitcoin community.
Hi Mike!
Thanks for getting in touch.
We got in touch with two of the three services you mentioned, and spoke with their representatives. Neither would agree to participate in a crowdfunding campaign.
For a crowdfunding campaign to work, the organization (or individual) that agrees to perform or otherwise organize (e.g. a bug bounty service) an audit must agree to become the beneficiary of funds raised. In the case of Kristov's audit, funds raised from the Kickstarter campaign will go directly to Kristov -- at no point will we hold or collect money.
There are legal barriers to us here at CryptOpinion.com soliciting funds for what would ostensibly be a Bitmessage fundraiser. We would have to start a full-blown non-profit or an Unincorporated Nonprofit Association. That approach is a complex issue, and could be a discussion for another time, though.
Kristov has a proven track record of delivering well-researched, thoughtful results. We are excited and appreciative that he has agreed to participate in a crowdfunding campaign. It reflects positively upon his character that he would be willing to put himself out there, and reflects negatively upon the bug bounty services that would not.
As an aside, you will notice that bug bounty programs on CrowdCurity, etc. are mostly (not all) set up by for-profit entities that have the resources necessary to fund bounties fully with their own money. Bitmessage, though, is an open-source protocol. This throws a wrench into things, to put it simply.
Also, for full disclosure, you said on reddit that if we we were to set up a bug bounty program, your group would participate. Therefore, given your group would supposedly benefit financially from a bug bounty program, it should be taken with a grain of salt when you say we are "giving people a false sense of security."
We are extremely pleased to have Kristov as Bitmessage's code auditor. In fact, we would prefer him over a bug bounty program.
Thanks for getting in touch.
We got in touch with two of the three services you mentioned, and spoke with their representatives. Neither would agree to participate in a crowdfunding campaign.
For a crowdfunding campaign to work, the organization (or individual) that agrees to perform or otherwise organize (e.g. a bug bounty service) an audit must agree to become the beneficiary of funds raised. In the case of Kristov's audit, funds raised from the Kickstarter campaign will go directly to Kristov -- at no point will we hold or collect money.
There are legal barriers to us here at CryptOpinion.com soliciting funds for what would ostensibly be a Bitmessage fundraiser. We would have to start a full-blown non-profit or an Unincorporated Nonprofit Association. That approach is a complex issue, and could be a discussion for another time, though.
Kristov has a proven track record of delivering well-researched, thoughtful results. We are excited and appreciative that he has agreed to participate in a crowdfunding campaign. It reflects positively upon his character that he would be willing to put himself out there, and reflects negatively upon the bug bounty services that would not.
As an aside, you will notice that bug bounty programs on CrowdCurity, etc. are mostly (not all) set up by for-profit entities that have the resources necessary to fund bounties fully with their own money. Bitmessage, though, is an open-source protocol. This throws a wrench into things, to put it simply.
Also, for full disclosure, you said on reddit that if we we were to set up a bug bounty program, your group would participate. Therefore, given your group would supposedly benefit financially from a bug bounty program, it should be taken with a grain of salt when you say we are "giving people a false sense of security."
We are extremely pleased to have Kristov as Bitmessage's code auditor. In fact, we would prefer him over a bug bounty program.
Yum.
I can understand the reasoning behind the bug bounty programs not accepting your crowdfunded audit, mainly because, you aren't the main developers or owners of the project - some would even say you should instead put forth an initiative that would instead use tip4commit as a means for security researchers to audit BitMessage, and get paid for commit fixes to bugs instead.
"Also, for full disclosure, you said on reddit that if we we were to set up a bug bounty program, your group would participate. Therefore, given your group would supposedly benefit financially from a bug bounty program, it should be taken with a grain of salt when you say we are "giving people a false sense of security.""
We did indeed say we would be interested, for full disclosure, if you were to figure out or set up a bug bounty program for the security audit. And since you failed so, we clearly didn't take you up on the idea of accepting a large number of BTC for an audit that would rely entirely on my teams findings. It goes back to my point: if you intend to properly audit the project it will require a large number of eyes with security knowledge to fully inspect the code over time. Not a one off audit.
It is very nice of Kristov to accept the potential job of auditing BitMessage for the sum of >$6k USD but the problem will be that after his audit is complete, regardless of how extensive or thorough it is, a month later someone else will potentially find exploitable holes and will look for the same sort of payment for his findings. The point is there is little to no security in the real world past an audit.
You should however:
- Do the crowdfunding effort to raise the funds.
- Put together your own bug bounty program (and we will gladly help you set this up, free of charge to the community)
- And pay researchers depending on level of exploitation
And for full disclosure: we have helped dozens of exchanges, dozens more merchants, and hundreds of sites in the last year (since December 2013) with their security (mostly Bitcoin related, but also Microsoft, Yahoo, and Paypal). Free. Of. Charge.
Thanks!
Mike
Hi Mike!
Thanks for getting in touch.
We got in touch with two of the three services you mentioned, and spoke with their representatives. Neither would agree to participate in a crowdfunding campaign.
For a crowdfunding campaign to work, the organization (or individual) that agrees to perform or otherwise organize (e.g. a bug bounty service) an audit must agree to become the beneficiary of funds raised. In the case of Kristov's audit, funds raised from the Kickstarter campaign will go directly to Kristov -- at no point will we hold or collect money.
There are legal barriers to us here at CryptOpinion.com soliciting funds for what would ostensibly be a Bitmessage fundraiser. We would have to start a full-blown non-profit or an Unincorporated Nonprofit Association. That approach is a complex issue, and could be a discussion for another time, though.
Kristov has a proven track record of delivering well-researched, thoughtful results. We are excited and appreciative that he has agreed to participate in a crowdfunding campaign. It reflects positively upon his character that he would be willing to put himself out there, and reflects negatively upon the bug bounty services that would not.
As an aside, you will notice that bug bounty programs on CrowdCurity, etc. are mostly (not all) set up by for-profit entities that have the resources necessary to fund bounties fully with their own money. Bitmessage, though, is an open-source protocol. This throws a wrench into things, to put it simply.
Also, for full disclosure, you said on reddit that if we we were to set up a bug bounty program, your group would participate. Therefore, given your group would supposedly benefit financially from a bug bounty program, it should be taken with a grain of salt when you say we are "giving people a false sense of security."
We are extremely pleased to have Kristov as Bitmessage's code auditor. In fact, we would prefer him over a bug bounty program.
Thanks for getting in touch.
We got in touch with two of the three services you mentioned, and spoke with their representatives. Neither would agree to participate in a crowdfunding campaign.
For a crowdfunding campaign to work, the organization (or individual) that agrees to perform or otherwise organize (e.g. a bug bounty service) an audit must agree to become the beneficiary of funds raised. In the case of Kristov's audit, funds raised from the Kickstarter campaign will go directly to Kristov -- at no point will we hold or collect money.
There are legal barriers to us here at CryptOpinion.com soliciting funds for what would ostensibly be a Bitmessage fundraiser. We would have to start a full-blown non-profit or an Unincorporated Nonprofit Association. That approach is a complex issue, and could be a discussion for another time, though.
Kristov has a proven track record of delivering well-researched, thoughtful results. We are excited and appreciative that he has agreed to participate in a crowdfunding campaign. It reflects positively upon his character that he would be willing to put himself out there, and reflects negatively upon the bug bounty services that would not.
As an aside, you will notice that bug bounty programs on CrowdCurity, etc. are mostly (not all) set up by for-profit entities that have the resources necessary to fund bounties fully with their own money. Bitmessage, though, is an open-source protocol. This throws a wrench into things, to put it simply.
Also, for full disclosure, you said on reddit that if we we were to set up a bug bounty program, your group would participate. Therefore, given your group would supposedly benefit financially from a bug bounty program, it should be taken with a grain of salt when you say we are "giving people a false sense of security."
We are extremely pleased to have Kristov as Bitmessage's code auditor. In fact, we would prefer him over a bug bounty program.
Hey,
We talked on reddit a bit back and although I agree an audit of BitMessage is essential the problem is simply paying someone over $6k in BTC for an audit is a waste.
He is one man, with his own specific set of skills. You need an entire community of security researchers to audit BitMessage as they all will be able to provide their different skillsets to the table.
I suggested before to use a bug bounty program like:
- hackerone.com
- bugcrowd.com
- crowdcurity.com
HackerOne or BugCrowd will more than likely yield you real results. You don't pay for one audit. You pay per bug disclosure. When you submit BitMessage to a bug bounty program like the above not only does my security team (BITCOMSEC), and Atlas audit the code, but also another 20,000 security researchers from around the world with different skills and experience will provide you REAL results.
I really do hope that you listen to what I'm telling you and look at the alternative. Relying on one security audit is dangerous for the project. You give people a sense of false security.
Cheers!
Mike
We talked on reddit a bit back and although I agree an audit of BitMessage is essential the problem is simply paying someone over $6k in BTC for an audit is a waste.
He is one man, with his own specific set of skills. You need an entire community of security researchers to audit BitMessage as they all will be able to provide their different skillsets to the table.
I suggested before to use a bug bounty program like:
- hackerone.com
- bugcrowd.com
- crowdcurity.com
HackerOne or BugCrowd will more than likely yield you real results. You don't pay for one audit. You pay per bug disclosure. When you submit BitMessage to a bug bounty program like the above not only does my security team (BITCOMSEC), and Atlas audit the code, but also another 20,000 security researchers from around the world with different skills and experience will provide you REAL results.
I really do hope that you listen to what I'm telling you and look at the alternative. Relying on one security audit is dangerous for the project. You give people a sense of false security.
Cheers!
Mike
Hi everyone!
Bitmessage, the P2P, encrypted communications protocol loosely based on Bitcoin technology, has been in need of a security audit for quite some time.
We couldn't be more excited to announce that Kristov Atlas has kindly agreed to throughly audit Bitmessage, and complete a report of his findings.
In the next couple weeks, a Kickstarter campaign will be launched to raise the $6,600 Kristov has requested to complete the audit. All funds will go directly to Kristov for his completing the audit.
If you're interested in seeing the completion of a Bitmessage audit by Kristov Atlas, we will be posting updates on the Bitmessage subreddit:
http://www.reddit.com/r/bitmessage/
Bitmessage, the P2P, encrypted communications protocol loosely based on Bitcoin technology, has been in need of a security audit for quite some time.
We couldn't be more excited to announce that Kristov Atlas has kindly agreed to throughly audit Bitmessage, and complete a report of his findings.
In the next couple weeks, a Kickstarter campaign will be launched to raise the $6,600 Kristov has requested to complete the audit. All funds will go directly to Kristov for his completing the audit.
If you're interested in seeing the completion of a Bitmessage audit by Kristov Atlas, we will be posting updates on the Bitmessage subreddit:
http://www.reddit.com/r/bitmessage/
Jump to: