add page on security audit (#2774)
* add page on security audit * incorporate feedback
This commit is contained in:
parent
9697b73e71
commit
fe96c3e993
|
@ -61,4 +61,5 @@
|
|||
- [Resources](./resources.md)
|
||||
- [Binary distribution internals](./distribution_internals.md)
|
||||
- [Prater: What you should know](./prater.md)
|
||||
- [Security Audit](./audit.md)
|
||||
- [FAQ](./faq.md)
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
# Security Audit
|
||||
|
||||
## Summary
|
||||
|
||||
Nimbus has undergone an extensive, multi-vendor ([ConsenSys Diligence](https://consensys.net/diligence/), [NCC Group](https://www.nccgroup.com/uk/), and [Trail of Bits](https://www.trailofbits.com/)) security assessment over a period of many months. During that process, we were notified of several issues within the codebase. These issues have been addressed and the overall security of the Nimbus-eth2 software has been drastically improved.
|
||||
|
||||
Additionally, as a result of the work done from our security vendors, we are now working to incorporate many new security processes and tooling to improve our ability to find security issues in the future.
|
||||
|
||||
For more information on the issues and how they were addressed, the interested reader should direct themselves to the [scoped repositories](https://github.com/status-im/nimbus-eth2/labels?q=audit); all reported issues and their mitigations are open to the public.
|
||||
|
||||
## History
|
||||
|
||||
Back in May of last year (2020), Status and the Nimbus Team posted a [Request for Proposal](https://our.status.im/nimbus-eth2-0-security-audit-request-for-proposal/) document regarding the [security assessment](https://our.status.im/what-is-a-security-audit-when-you-should-get-one-and-how-to-prepare/) of the [nimbus-eth2](https://github.com/status-im/nimbus-eth2) repository (formerly `nim-beacon-chain`) and its software dependencies.
|
||||
|
||||
After thoroughly vetting and weighing the submitted proposals, 3 security vendors were chosen to review the codebase for a timeline of approximately [3 months](https://notes.status.im/7D73zDPyQxOUWw4ejEn6oQ?view#).
|
||||
|
||||
The kickoff announcement can be read [here](https://our.status.im/nimbus-beacon-chain-assessment-kickoff/).
|
||||
|
||||
We separated the codebase into sub-topics with various tasks. These tasks were then broken up and assigned to the vendor(s) with the required expertise.
|
||||
|
||||
The desired deliverable outcome was GitHub issues in the repositories under review, which is a shift from the standard “assessment report” provided by most security assessments in the space. You can view the issues [here](https://github.com/status-im/nimbus-eth2/labels?q=audit).
|
||||
|
||||
To be very clear, we did not engage in this security assessment to get a stamp of approval from the security community. All of the effort put into creating this process and engaging the community was in the service of increasing the level of security and code quality of the Nimbus software.
|
||||
|
Loading…
Reference in New Issue