status-im
/
nimbus-eth2
mirror of https://github.com/status-im/nimbus-eth2.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

add page on security audit (#2774) 

* add page on security audit

* incorporate feedback
This commit is contained in:
0xmiel 2021-08-11 15:16:02 +02:00 committed by GitHub
parent 9697b73e71
commit fe96c3e993
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/the_nimbus_book/src/SUMMARY.md
View File

@ -61,4 +61,5 @@
- [Resources](./resources.md)
- [Binary distribution internals](./distribution_internals.md)
- [Prater: What you should know](./prater.md)
- [Security Audit](./audit.md)
- [FAQ](./faq.md)

24
docs/the_nimbus_book/src/audit.md Normal file
View File

@ -0,0 +1,24 @@
# Security Audit
## Summary
Nimbus has undergone an extensive, multi-vendor ([ConsenSys Diligence](https://consensys.net/diligence/), [NCC Group](https://www.nccgroup.com/uk/), and [Trail of Bits](https://www.trailofbits.com/)) security assessment over a period of many months. During that process, we were notified of several issues within the codebase. These issues have been addressed and the overall security of the Nimbus-eth2 software has been drastically improved.
Additionally, as a result of the work done from our security vendors, we are now working to incorporate many new security processes and tooling to improve our ability to find security issues in the future.
For more information on the issues and how they were addressed, the interested reader should direct themselves to the [scoped repositories](https://github.com/status-im/nimbus-eth2/labels?q=audit); all reported issues and their mitigations are open to the public.
## History
Back in May of last year (2020), Status and the Nimbus Team posted a [Request for Proposal](https://our.status.im/nimbus-eth2-0-security-audit-request-for-proposal/) document regarding the [security assessment](https://our.status.im/what-is-a-security-audit-when-you-should-get-one-and-how-to-prepare/) of the [nimbus-eth2](https://github.com/status-im/nimbus-eth2) repository (formerly `nim-beacon-chain`) and its software dependencies.
After thoroughly vetting and weighing the submitted proposals, 3 security vendors were chosen to review the codebase for a timeline of approximately [3 months](https://notes.status.im/7D73zDPyQxOUWw4ejEn6oQ?view#).
The kickoff announcement can be read [here](https://our.status.im/nimbus-beacon-chain-assessment-kickoff/).
We separated the codebase into sub-topics with various tasks. These tasks were then broken up and assigned to the vendor(s) with the required expertise.
The desired deliverable outcome was GitHub issues in the repositories under review, which is a shift from the standard “assessment report” provided by most security assessments in the space. You can view the issues [here](https://github.com/status-im/nimbus-eth2/labels?q=audit).
To be very clear, we did not engage in this security assessment to get a stamp of approval from the security community. All of the effort put into creating this process and engaging the community was in the service of increasing the level of security and code quality of the Nimbus software.