Hi Mike!
Thanks for getting in touch.
We got in touch with two of the three services you mentioned, and spoke with their representatives. Neither would agree to participate in a crowdfunding campaign.
For a crowdfunding campaign to work, the organization (or individual) that agrees to perform or otherwise organize (e.g. a bug bounty service) an audit must agree to become the beneficiary of funds raised. In the case of Kristov's audit, funds raised from the Kickstarter campaign will go directly to Kristov -- at no point will we hold or collect money.
There are legal barriers to us here at CryptOpinion.com soliciting funds for what would ostensibly be a Bitmessage fundraiser. We would have to start a full-blown non-profit or an Unincorporated Nonprofit Association. That approach is a complex issue, and could be a discussion for another time, though.
Kristov has a proven track record of delivering well-researched, thoughtful results. We are excited and appreciative that he has agreed to participate in a crowdfunding campaign. It reflects positively upon his character that he would be willing to put himself out there, and reflects negatively upon the bug bounty services that would not.
As an aside, you will notice that bug bounty programs on CrowdCurity, etc. are mostly (not all) set up by for-profit entities that have the resources necessary to fund bounties fully with their own money. Bitmessage, though, is an open-source protocol. This throws a wrench into things, to put it simply.
Also, for full disclosure, you said on reddit that if we we were to set up a bug bounty program, your group would participate. Therefore, given your group would supposedly benefit financially from a bug bounty program, it should be taken with a grain of salt when you say we are "giving people a false sense of security."
We are extremely pleased to have Kristov as Bitmessage's code auditor. In fact, we would prefer him over a bug bounty program.
Yum.
I can understand the reasoning behind the bug bounty programs not accepting your crowdfunded audit, mainly because, you aren't the main developers or owners of the project - some would even say you should instead put forth an initiative that would instead use tip4commit as a means for security researchers to audit BitMessage, and get paid for commit fixes to bugs instead.
"Also, for full disclosure, you said on reddit that if we we were to set up a bug bounty program, your group would participate. Therefore, given your group would supposedly benefit financially from a bug bounty program,
it should be taken with a grain of salt when you say we are "giving people a false sense of security.""
We did indeed say we would be interested, for full disclosure, if you were to figure out or set up a bug bounty program for the security audit. And since you failed so, we clearly didn't take you up on the idea of accepting a large number of BTC for an audit that would rely entirely on my teams findings. It goes back to my point: if you intend to properly audit the project it will require a large number of eyes with security knowledge to fully inspect the code over time. Not a one off audit.
It is very nice of Kristov to accept the potential job of auditing BitMessage for the sum of >$6k USD but the problem will be that after his audit is complete, regardless of how extensive or thorough it is, a month later someone else will potentially find exploitable holes and will look for the same sort of payment for his findings. The point is there is little to no security in the real world past an audit.
You should however:
- Do the crowdfunding effort to raise the funds.
- Put together your own bug bounty program (and we will gladly help you set this up, free of charge to the community)
- And pay researchers depending on level of exploitation
And for full disclosure: we have helped dozens of exchanges, dozens more merchants, and hundreds of sites in the last year (since December 2013) with their security (mostly Bitcoin related, but also Microsoft, Yahoo, and Paypal). Free. Of. Charge.
Thanks!
Mike
