We often get asked whether we have to release a client’s audit results publicly, fearing that we’ll disclose a list of high risk vulnerabilities that will taint the image of their team. We only release the results of an audit if the client explicitly requests that we do so. The problem is that when the results are not released publicly, the client has no way of proving that they have performed the audit, losing out on the opportunity to show that they take security seriously. As a result, we’ve developed the iosiro Proof-of-Work badge:
How it works
Our Proof-of-Work badge can be placed on a client’s website for their users to verify that specific work has been performed by iosiro. We will only award the badge if:
- We have conducted a comprehensive audit of their smart contracts; and
- We are satisfied with the level of security achieved by the company based on the extent to which they addressed issues identified during the audit.
It’s important to note that not all clients will receive a badge for work performed. Only work that meets the above specified criteria will receive the badge. However, it’s worth noting that this does not mean that the client has perfect security. Any security professional will tell you that perfect security doesn’t exist. Anyone can be compromised, whether you’re a government agency such as the NSA or a coffee shop down the road.
How to verify
Clicking on the badge will link back to https://verify.iosiro.com, which will display information about the specific work performed based on cryptographically signed data included in the button element.
If the data is tampered with, or incorrect for any other reason, the user will be instructed that the contents is invalid.
Under the hood
The technical details and implementation are available on our Github page. In short, we sign the contents of the badge using a PGP key. When a user arrives on our site, the server will verify the data and if it has been correctly signed, it will display the relevant information back to the user, such as the client name, the nature of the work, and the date that we issued the badge.