Title: Blockchain software security report by China CERT, Ripple the worst Post by: hl5460 on January 13, 2017, 01:47:03 AM In December 2016, China CERT released a 17-page security audit report of blockchain software. As per the report, the audit was conducted in October 2016 and released later as “open” document. The report examined 25 open-source blockchain projects, categorizing the vulnerabilities found into 9 classes. A total of 746 high-level attack vectors are detected. Ripple is rated the most insecure one with over 223 highly risky bugs.
http://news.8btc.com/blockchain-software-security-report-by-china-cert-ripple-the-worst Title: Re: Blockchain software security report by China CERT, Ripple the worst Post by: JoelKatz on January 13, 2017, 06:03:01 PM My official response is here: https://ripple.com/dev-blog/response-china-cert-report/
TL;DR: It looks like they just ran a static analysis tool against a combination of security sensitive and irrelevant code, totaling the number of potential issues detected by automated, static analysis. This is almost completely meaningless because the vast majority of issues reported by such tools are false positives with no actual security implication. But it's doubly meaningless when you use it on code that already uses that exact same methodology because every issue that can be identified by this method has already been found and fixed. |