External Audits & Bug Bounties

Jack Matier
Apr 27, 2018 · 5 min read

TLDR: Red4Sec has begun our security audit, a tip-of-the-iceberg overview of our own code practices and bug bounties in the cryptocurrency space.

Red4Sec, our first security auditor who also completed the audit for NEO, is not only doing our audit, but has already begun. Another auditing firm will be joining them shortly after working through the final stages of paperwork, stay tuned!

The successful completion of both audits will grant us the ability to reveal a final launch date for mainnet, along with announcing the inception of our bug bounty program.

As a small note, having not one, but two audits before the launch of mainnet is a rarity in the cryptocurrency space (and with some of the recent security breaches, it shows!) and, along with a to-be-launched bug bounty program, underscores our commitment and openness to being scrutinized.

The Quantum Resistant Ledger is at its core dedicated to ensuring security for all its users and secondary layer applications, both now and into the future. To achieve this level of Post Quantum security, there are several methods that are used.

An overview: Refinement, Review & Peer-review

Every piece of code needs to be written with a plethora of vulnerability vectors in mind. Code injection, broken authentication, memory leaks, security misconfiguration, cross site scripting, DDoS vectors, and sensitive data exposure are just a very small handful of the things to look out for — and can be very easy to miss for inexperienced developers (and sometimes even experienced ones).

The consequences can be dire to miss any of this. Companies lose $400 billion to hackers each year, and just this year, coincheck had a $530 million dollar heist.

Cryptocurrency is the last space to launch an incomplete product to the public, given the stakes at play.

Refinement: Code Analysis and CI

Codacy & Codebeat: Allows us to a check on code complexity, security and coverage statistics. This helps to keep our code maintainable and readable for those wanting to review and take a deeper dive. A requirement for open source projects.

Snyk: Takes care of the code we’re dependent on. This is arguably one of the first and easiest checks those looking to exploit your code look to. After a responsible disclosure takes place, there’s often proof-of-concept code to that can be run.

If a project still has an out of date dependency when this proof-of-concept code is released, this becomes a copy-and-paste endeavor.

Code Coverage & Test Suites

Coverage (in programming) is the amount of code that’s executed when a test suite is executed.

The test suite runs the code against a set of test cases to maintain expected behaviours. This keeps consistency in the expectation that different components in a codebase (especially a P2P one) have.

Everytime a bug is found, replicated and fixed, part of this process is to add the replication part to the test suite so it doesn’t happen again.

Integration Testing

Review & Peer-review

More

Taking it a step further: External Audits

Red4Sec

As mentioned above, Red4Sec has already commenced on their audit with us.

Mystery Auditor #2

Image for post
Image for post

Taking it two steps further: Bug Bounty Program

We recognise the importance of taking this process seriously by having proactive rather than reactive security measures. This is demonstrated by our commitment to testing, conducting internal audits and procuring qualified organisations and/or individuals to perform external audits.

The bug bounty program will expand upon this by incentivising ethical hackers (white hats) to perform responsible disclosure and allows the project to close security holes and fix vulnerabilities safely without service interruption.

Security focused Bug bounty programs in the cryptocurrency space

Of the top 25 cryptocurrencies currently totaling a marketcap of ~$350 billion USD (according to coinmarketcap, 2018–04–27), less than half of them (9) had bounty programs that were related to security or bugs, and only 3 of those we considered up to our standards.

Our own bug bounty program

This will be launched in close proximity to the release of mainnet and will continue be one of the key elements in our ongoing commitment to security.

The Quantum Resistant Ledger

Cryptography with longevity.

Jack Matier

Written by

Community Support for the Quantum Resistant Ledger

The Quantum Resistant Ledger

Cryptography with longevity. A post-quantum secure blockchain featuring a stateful signature scheme and unparalleled security.

Jack Matier

Written by

Community Support for the Quantum Resistant Ledger

The Quantum Resistant Ledger

Cryptography with longevity. A post-quantum secure blockchain featuring a stateful signature scheme and unparalleled security.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store