Security audit #27
Comments
|
Thanks for the links. We are planning to have a formal audit performed. If anyone would like to contribute to this in some way, please contact me directly using the contact form on the bitwarden website. |
|
So how close is Bitwarden to getting a formal security audit? |
|
@bcbane We are currently working to bring many of our paid features online which will allow us to start bringing in cash to fund things like a formal security audit. If all goes as planned, we should definitely have this done at some point this year. |
|
I noticed two potential issues from looking over the code:
/cc @brianredbeard |
|
@heyitsanthony Thanks for having a look.
|
|
I don't know how Google's Project Zero picks and chooses their targets for security auditing, but considering they recently did one for LastPass, it might be possible to have them take a look at Bitwarden |
|
https://sakurity.com/securelogin |
|
@dralley This can be a double edged sword, especially for a small team. Project zero has a few built in control valves to force responsible disclosure. This means the entire Bitwarden team has 90 days to resolve all vulnerabilities before they become 0-days (hence the name). @ple103 Personally, I would let that bake in a little bit more. The Sakurity team is till working through some of their own UX and security concerns from the community. I look forward to see how it goes in the long run but the guidance |
|
@heyitsanthony We've added support for HMAC-SHA256 signing org keys with a user's protected "mac key" (half of the 512 bit 5a67df6 This will authenticate a user's org key each time it is used, so any tampering will result in a failure during decryption. This puts the appropriate infrastructure in place, however, still leaves two scenarios open that we need to fill:
After these scenarios are resolved we can make the mac checks strictly enforced. |
|
I was playing with SonarQube on my fork tonight. Could be a good start, but might just be a bunch of noise. If there's interest, I can clean things up and make a PR. Current report can be seen here: https://sonarcloud.io/dashboard?id=bitwarden-core |
|
@davidkassa Thanks for the scan. I don't really see anything of concern in that report. |
|
I didn't either. Is adding a regular scan to the CI process worthwhile? I wanted to play but trying to decide if it's worth spending a couple of nights on.
… On Aug 3, 2017, at 8:06 PM, Kyle Spearrin ***@***.***> wrote:
@davidkassa Thanks for the scan. I don't really see anything of concern in that report.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
@davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds. |
|
Cool. I got it covered :)
I'll include details in the PR.
… On Aug 4, 2017, at 3:04 PM, Kyle Spearrin ***@***.***> wrote:
@davidkassa I'd be open to it. I created a sonarcloud account and bitwarden organization but I'm not really sure how to use it. We use appveyfor for CI builds.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
This could also be helpful. Not sure you know it yet |
|
Some news on this front, bitwarden is now working with researchers on HackerOne to find vulnerabilities in the platform. Our program is currently private but will enter public status soon. We've already resolved a few minor issues found by researchers there so far. |
|
some links I came across (might be useful) Security Automation and Risk Management for Open-Source Code Node Security Platform Synk |
|
Our HackerOne program has now gone public: https://hackerone.com/bitwarden |
This is awesome news! Are you planning on a blog post or something? I think this is worth of some diffusion. Some background on how it works and what does this mean for the project, the company, etc and sharing on HN, Reddit, etc. |
Nevermind: https://blog.bitwarden.com/bitwarden-launches-on-hackerone-a8acda73b1c1 |
|
High-Tech Bridge is launching a free 'Mobile X-Ray' service for developers that analyses native and hybrid iOS and Android apps and detects the most common weakness and vulnerabilities. |
|
Check websites for security and performance issues with Sonar (might come in handy) Scanner throws some errors for "https://vault.bitwarden.com/" |
|
@paragonie-scott Please open new issues in the appropriate repos if you think you have found something. Or you can email us privately. This issue is to discuss the need for a security audit and I don’t want it getting filled up with additional comments and discussion related to potential vulnerabilities. |
|
I didn't see that you had a HackerOne program until just now. I sent the full details of the vulnerability/exploit there and deleted my comments above. Sorry for the confusion here. |
|
Since many people watch this thread I just wanted to post a follow up that the potential vulnerability mentioned by @paragonie-scott earlier in this thread (which he subsequently removed) turned out not to be an issue and the related HackerOne report was closed. Though we did end up having some good discussion on the crypto implementations. |
|
2017 is done, any status update on this? get some quotes and open some kind of "gofundme". It should help you getting there ;) i can only speak for myself but i would participate if there is a clear goal in terms of money needed. Best regards |
|
I am looking for a cross-platform solution to replace the password manager I currently use. I would gladly pay a 'license' fee for a product like this that undergoes a review once and a while. |
|
Echoing the sentiment here. The only thing that could entice me even more is a full audit. |
Paying for an audit is a tall order for any one person. Would you contribute to a crowd-fund? |
|
Heh, clever. Of course I meant I wouldn't contribute towards an audit either. Bitwarden is a commercial entity with a business model. I don't donate to for-profit businesses, I buy goods and services from them. But that's just me, other people have said they would do so. |
I find you unreasonably negative. Bitwarden is mostly open source and I think both I and others find it useful to sometimes contribute to products that I don't use (yet). FWIW Scott that you replied to is a professional security researcher and it seems he's already spent some unpaid time on the code. |
|
I would consider contributing if the project was developed and run by a non-profit foundation like Kodi and Apache. That is not the case. I don't contribute to for-profit enterprises, and am frankly amused that you think it's unreasonable. RedHat Enterprise Linux is open-source also. Would you donate to RedHat? How about Oracle, would you open your heart and donate to Larry Ellison's Lamborghini fund because they develop MySQL? |
There is a big difference between helping out a small company trying to do something incredibly beneficial for the Open Source community such as providing an easy-to-use open source password manager for the masses . . . comparing to BILLION DOLLAR corporations. |
|
Where is the project on the audit side of things? did you get quotes? set up a crowfunding? |
Can we stop responding to people who don't understand the economics of OSS software?
I opened a ticket for BountySource integration, which would would enable collaborative funding for any GitHub ticket. |
|
@kspearrin The first step is to write out an informal security model. Have you done this? |
|
Security audits are very expensive. Crowdfunding would make perfectly sense but the question is if security audit companies allow Bitwarden to even talk about prices. I know some forbid it... |
|
We are currently in early discussions with Cure53 about completing an audit. If anyone has suggestions of other agencies, please list them and we'll consider reaching out to them as well. |
|
Just throwing that out there.. I'm willing to donate to have the security audit done. It's important to me that something I rely on this much, be as secure as it can be. Thanks. |
|
OSTIF has done audits on VeraCrypt, OpenVPN, etc. |
|
Hi guys — Sorry for being a bit late to the party! I've just added bitwarden/core to the C# beta on LGTM.com: https://lgtm.com/projects/g/bitwarden/core/alerts The best way (IMHO) to use LGTM, is by enabling automatic code review for pull requests. Here's an example of how that works for the team at Google (+ community) for AMPHTML: ampproject/amphtml#13060, and NASA use it for their Open-MBEE project, e.g.: Open-MBEE/exec-cameo-mdk#105. You can enable automatic code review here: https://lgtm.com/projects/g/bitwarden/core/ci/ Any questions / suggestions / comments: give me a shout! (Full disclosure: I'm part of the team that built LGTM.com 🙂) |
|
Oh, and while I'm at it — here are the results for bitwarden/mobile: https://lgtm.com/projects/g/bitwarden/mobile/alerts/ |
|
I haven't heard of this service before, that is very cool. Thanks for sharing and setting this up. Hopefully this will help the audit. 👍 Note: for those who haven't heard of this and are curious what LGTM stands for as I was . . . LGTM = "Looks Good To Me" |
|
You're welcome, @MichaelTunnell — glad to have you on board! Someone pointed out @petervnv's comment in this issue (now a year ago) out to me, so it seemed worth setting this up. Let me know what you think! Note that you can add your own open source projects to LGTM if you like. Just log in with Google or GitHub (or create an account), and go to "My Projects". If you have a large number of projects you'd like to add: just drop me a note and I'll do them all in one go. |
|
WhiteSource |
|
We are scheduled with Cure53 for later this year to perform a complete audit of the backend server (core), web vault, desktop apps, browser extensions, and jslib (the library that powers most of our client apps). |
|
Very good news! I look forward to switching to Bitwarden once this is complete. |
|
Been waiting on this security audit to switch over, glad to hear it's coming soon. |
Any news on when it will be done? will the results be public? |
|
Currently waiting for the security audit to buy my premium subscription... any update? Also is there a gofundme? I love the idea of bitwarden |
|
Let me know if I can be of assistance, I would love to work with Cure53! |
|
An audit has been completed. See here: https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33 |
|
See #392 for follow-up regarding the solution to one of Cure53's findings. |
|
👏 |
|
You can view Cure53 original report on their website from either the Publication section, or this direct link |
Not sure in which repository this belongs, probably in all of them. Bitwarden should get a security audit to find and squash any security issues that might hide somewhere. Obviously there is the problem of financing, so maybe this can be of help. Doesn't hurt to try it, right?
https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/
https://docs.google.com/forms/d/e/1FAIpQLScLwANEOvLBE6gnFVoiamqHOYzzkaChpdQJ7f0PlZGmfyy94w/viewform
https://wiki.mozilla.org/MOSS/Secure_Open_Source
The text was updated successfully, but these errors were encountered: