Although proofs and facts have been provided numerous times.. there are still people believing in a flat earth.
This is no different from the mentality of Verge community. The sooner you understand it you will stop pointless discussions.

Then you might have miss-understood me, as if you read on this thread you will also see examples of copy-pasted code that contained bugs that should have been fixed before committing that code. Or other examples that I personally encountered such as commiting "OpalCoin" error messages in your code while your coin is called Verge. Don't you think these are something a medior/senior would never do..? The whole point is that these are old examples, and to date you would expect a "lead" dev to have a proper QA process in place able to catch those rookie mistakes, and also prevent accidental mistakes.. But here we are talking about another fiasco.. Its not about releasing fast. Its about doing the mistake once, then putting in place a process that will alarm you for the same mistakes in the future.. Thats what experience is about.

I understand your frustration. But calling them names or cursing them will change nothing unfortunately. What you see here might as well have nothing to do with them having closed their ears. It could be that they just plainly don't understand the code so they are incapable of providing a fix. Months ago, when I did my research on Verge looking at the source code I realised that the lead dev is at most a Junior dev that lacks the experience to provide any high quality complex code. This has been proven so many times by their "accidental" mistakes or the copy/pastes that include bugs of others.. Any rants/vents I had, went immediately away. There was no point in venting at a fish because it will not fly.. Its incapable of doing this in the first place..

Take the whole thing as a lesson. An experience to make us smarter in researching and making our choices.

If you leave your door open and thieves come in and steal everything from your house, who is really at fault there..? I'm inclined to say that the responsibility is shared between you and the thieves. Thieves shouldn't exist, but they do. You were aware of their existence and you did nothing to prevent them from coming in.

In software industry there always going to be someone trying to find/exploit vulnerabilities, and someone trying to counter them. You will never be 100% secure because the solutions made by humans are by nature imperfect. The best thing we can do is become aware of the known weaknesses and try to patch them.

And here is where I challenge you:
In a project that concerns money, investments, trading and so forth. What exactly where the measures taken to assess the security of it..? You as a consumer/user of this project, what facts did you investigate and use to convince you of the security aspect of the project..? Thats the thing.. You talk about a good project, in what aspect..? Did you really investigate that it was a "good" project..? Today you read about a vulnerability that was there for 4 years. Of course this can happen (and it has) in the best companies and products. But those companies do regular security pen tests, hire security experts to do research and offer security bounties to communities. For every single vulnerability someone may find, you can be sure the companies have already found and patched a 1000 more of them.

Why don't you ask the team of your good project, to demonstrate to you, the actions they have taken in the last 4 years to assess the security status of the project..? Ask them to share with you the reports of the security assessments, to show you which security experts they invited/hired/asked for help to assess the code base. To show you how their development process exactly is, how regularly the codebase is assessed for security vulnerabilities, how and with what mechanisms do they ensure the quality of the process..?

But then again you shouldn't ask for them, that info should be publicly available right..? Or else you wouldn't put your hard earned money in a project that you are not sure if its secured "enough" (for your needs).

Not taking any sides but trying to be just, being a moderator/admin at a forum/channel is about ensuring proper behavior of the members. Thinking similarly, an office administrator of a software company would not necessarily know about a security breach in one of the company's software products. Might as well not even have the knowledge to understand it

Hello all,

For a moment please set aside the fact that my account is new. I registered here because I was inspired by the post of OCminer.
I would like to point out that he sets very good examples and we should support and promote such actions. Being a developer myself (professionally), I would like to give my point of view and also clear up some confusion that was introduced by some people, probably due to lack of experience or knowledge.


1. It was mentioned on this thread that OCminer shouldn't have posted about the issue here. This was based on some people knowledge/experience with software security.
    You can safely ignore those posts. Security through obscurity is a very well known anti-pattern to any professional security researcher. Quoting from wikipedia https://en.wikipedia.org/wiki/Security_through_obscurity In short, OCminer did the right thing.

2. Verge developer sunerok commits code that is copy pasted from other projects that he does not understand and sometimes includes bugs. This is true and anyone that can examine the source code that is available publicly on github can verify it. This is not the first time this happens, more like the Nth time. Examples of this are the feature of stealth addresses that was copy pasted from 3year old OpalCoin code that included the actual names of OpalCoin. Imagine using your Verge wallet and suddenly you get an error message saying your OpalCoin address is invalid.. https://github.com/vergecurrency/VERGE/commit/e3612923a51016fc78e470d9e15a744d6ad64cb5#diff-e75eff0ce0dde388eddbe3173db85bd4L1779
Other examples where someone gathered many references to copy pasted code: https://github.com/vergecurrency/VERGE/issues/304. Every single time the Verge developer and the fanatic community was either blocking/bashing on/banning the people that would report this. In Software Development and all professional circles and companies this is exactly what is called a Junior or inexperienced developer. Developers that do this usually are not allowed to commit to the mission critical products of a company, due to the damage they can cause. Instead they are assigned more senior developers as mentors and other devs review every single line they write to prevent "accidental issues"..

3. Verge marketing team are trying their best to market a faulty product, trusting their lead dev but they also are as inexperienced as him. More specifically I've shown above and it was already known to most of you that code from OpalCoin was included in Verge source code. The ignorants would say that this is how open-source works. Those people however are the ones that do not understand Licenses which every open source software is accompanied with, and not every open-source software comes with a "free to copy paste" license. In fact OpalCoin as shown here https://github.com/OpalCoin/OpalCoin/blob/master/LICENSE#L13 comes with a license that specifically says Of course you never saw any of this in the marketing material of Verge.

4. Mcaffee. I don't know why this guy is still called a security expert. It saddens me that people will follow anything they will hear from "accredited" persons without investigating the legitimacy of it. For a Proof of Concept I decided to follow one of Mcaffes's leads for an ICO, specifically Bezop tokens, to see what I can get out of it. When I opened an account during their ICO sale, I immediately noticed the security flaws of their platform. The flaws where so big, that you could access identity cards, passports, driving licenses and other PII, as well as being able to add tokens to your wallet. I immediately reported this to the company but did not receive any response. I tried to contact them in their LinkedIn accounts and again got no response. 2 days later someone writes a blog post on Medium about the same flaw however mentioning half of the vulnerabilities. When I found that post it was already editted, now containing only 2 lines saying that he got in touch with the company, the issues were fixed, and there is nothing to worry about. (note: Thanks to google cached content I was able to find the original post that included the vulnerabilities). I tested again my PoC and the vulnerabilities were still there, nothing was fixed at all. This is not an uncommon incident in software security. Sadly when the responsible people only care about money, we get to pay the price..

A few last words and I'm sorry for the long post:

Once a colleague of mine told me that if we were to build an in house solution for X feature instead of using an open source existing solution, this would have been way more secure. I replied to him "How many security experts does our team have..? Do you think those few minds are much greater and have more time than the huge community of hundreds of security experts & hackers?"
Open source world has helped a lot in making software more secure. People actively trying to find vulnerabilities and the community actively trying to patch those vulnerabilities is what creates more secure software. We learn from our mistakes so that we don't repeat them in the future. But we need to be aware of our mistakes; we cant fix something we don't know about. If we care about our users/customers we need to be open and transparent. And if we don't care we also need to be open and transparent, so that anyone that will use our product knows the risks of doing so, instead of being lured by false marketing claims of "privacy and security".
 
Btw does anyone have a link to the pen-test reports/security audits of Verge..? I remember some months ago there were talks about security audits being scheduled.. I haven't followed up on this, any news..?