Picocrypt security audit results

Privacy
1

1 Moderate, 3 low, 2 N/A-severity issues.

Make sure to update Picocrypt!

Should mention this audit on the website too @redoomed1 @jonah

6 Likes
3

He said he fixed most issues in the latest version and the others arenā€™t all that problematic. Picocrypt is finally getting a security audit! Follow progress here. Ā· Issue #32 Ā· Picocrypt/Picocrypt Ā· GitHub

However, the report itself states that they should try to get re-tested to ensure these fixes didnā€™t result in additional vulnerabilities.

4

Unless you have (another) $3k to spare, I donā€™t think a retest is practical :joy:

The changes are minor and logical ā€“ I donā€™t think a retest is needed.

4 Likes
5

I see what you mean, apparently open source code and skills in understanding it throws off a lot of issues, discussions on GitHub and open dialog contribute to this.

I would like to draw your attention to the fact that this community is developing, growing, quite predictable and logical scenario is an increase in the number of users with starting knowledge, letā€™s say newbies.

Most of them have not yet discovered registering on GitHub, it will be too early for them to engage in dialogs there, they will be able to understand the code only later.

If you want your product to get the coverage it deserves and due, acceptance, word of mouth.
It would be nice, and Iā€™m speaking respectfully now, not to give the audit a chance to add a spoonful of tar to the honey barrel.

As for the financial question.

It may be reasonable in some cases to allow the community to support the project in the format of a
ā€œdonation section for upcoming audits selected by Privacy Guidesā€
(this is a very raw idea, improvisation)

  • The donation section for the audit sounds fun.
  • Sounds weird, auditing is the developersā€™ job.
0 voters
2 Likes
6

Hey Evan, thanks for the audit :camping:

Is there an updated picocrypt paranoid pack with the changes - mainly interested in the added Rand.Read()? Where would I find it, the new repo under Picocrypt, or your old repo?

And for PCC -003, would there be a way to check if an existing encrypted file suffered from a trivial key error?

Thanks

7

I agree. I support FOSS, and if the software maintainers of a project need a security audit (for security critical software) and are community driven, Iā€™ll throw down some money.