Hacker News new | ask | show | jobs
by magikarp 4540 days ago
From my perspective, we've been taking security seriously a year+. Our first commissioned audit was in November 2012, and we've had a bug bounty since then as well: https://crypto.cat/bughunt/

This isn't, of course, to say that there haven't been vulnerabilities. But I have to stand behind our mitigation and disclosure policy as being very highly responsible and transparent.

So far, we've had three paid audits, with two more lined up, and regularly reward community bug-finders. We're planning more competitions for Cryptocat Mobile in March and April, with prizes such as iPhones and Nexus Phones. :-)
2 comments
lemonlimebubble 4540 days ago
Hi, I am working on a security-focussed startup. We have a rough cut of our initial product offering due in the next month and are trying to get initial trial users and customers on board to help us demonstrate interest.

How do you manage to afford to finance the audits and bug bounties? We have found that some potential customers want to see us get security audited before trusting our solution, but from what we can tell this is a multi-hundred thousand dollar cost and requires us to freeze development while it takes place. We currently have zero day-to-day budget and runway for 6 months. How have you afforded it?

link
magikarp 4540 days ago
> How do you manage to afford to finance the audits and bug bounties?

Public donations from our website and funding from public institutions and NGOs. Currently, our audits are funded by the Open Technology Fund: https://www.opentechfund.org

Generally, our funding tends to be very limited though, so sometimes we have to ask someone to do an audit for cheaper than they usually would, seeing as we're an open source project with no source of revenue.

EDIT: Forgot to mention, we have no funding for bug bounties. I pay all bug bounties out of my own pocket. I don't mind, I feel the money is very well-spent.

Good luck with your startup!

link
lemonlimebubble 4540 days ago
Ah, so basically, as a for-profit company aiming at a B2B enterprise product, we are screwed in this regard until we have the capital to absorb the audit cost through either revenue or investment. Oh well.
link
sneak 4539 days ago
None of your incentives are sufficient to get large adversaries to drop their non-obvious zero day on you.
link