Audit Registry | Bounty: $14,000 in NEAR

[ilblackdragon]

Description

Audit Registry is designed to increase transparency and security in the blockchain and general software space. It provides a ledger of

Context

[TODO: update after blog post is published] See draft of the blog post here - https://docs.google.com/document/d/1OX4Nv0Sta70f_1Py-Xs7iDyNHB-SGv_ygc8K2hVJ8CA/

Details

Contract

impl AuditRegistry {
  /// Register as auditor, linking account_id and metadata that is IPFS/Sia content hash.
  fn register_auditor(account_id: AccountId, metadata: Hash);

  /// Adding project to the registry. Code hash is used as primary key for certificate information.
  /// All the other information is used for visualization.
  /// Github url can be used to distinguish projects with the same name in UI. 
  fn register_project(name: String, url: String, metadata: Hash, code_hash: Hash);

  //// Auditor signs given code hash, with their audit_hash and a list of standards this contracts satisfies.
  /// List of standards represent which standards given source code satisfies. It's free form but should be social consensus for specific domains. E.g. in blockchains these will be EIP-* or NEP-*.
  fn sign_audit(code_hash: Hash, audit_hash: Hash, standards: Vec<String>, signature: Signature);

  /// Report advisory for given code hash. Advisory hash is IPFS/Sia content hash.
  /// Only allowed to be done by one of auditors that signed on the given code hash.
  /// It's possible to report advisory first, without posting details to inform users about possible issue and later reveal the details in the disclosure.
  fn report_advisory(code_hash: Hash, advisory_hash: Hash);

  /// List all auditors.
  fn get_auditor_list() -> Vec<Auditor>;

  /// List all projects.
  fn get_projects_list() -> Vec<Project>;

  /// List certificates for given project.
  fn get_project_certifcates(code_hash: Hash) -> Vec<Certificate>;
}

User Experience

Important note is that user flow will allow developers (or community member) to request the certificate from auditors. Because auditors usually are operating under contract with developer / community member - it's up to them to decide if they want to publish such information.

Acceptance

• [ ] Contract that satisfies above interface.
• [ ] Frontend's main page shows split screen into: list of security review firms with links to their details and list of software that was reviewed last.
• [ ] Frontend allows for project to submit an audit for their code
• [ ] Frontend allows auditors to sign under the audit
• [ ] For specific software, allows to see all versions (code hash) and status of security review.
• [ ] Bonus: report advisory about specific code hash, such that other software like wallets can show caution around such software.

Bounty

$14,000 in NEAR

[luciotato]

@ilblackdragon I can start with this bounty. Details and functionality are clear.

The plan is to build a web app with 3 kinds of users in mind, Auditor, Developer and Contract-User. The functionality is pretty clear from the contract and the blog-post.

Besides the app, I'll include a cli-tool to operate on the contract, I guess the cli-tool could become the preferred choice for developers and auditors.

Can you assign me to this issue please?

[aistoc]

@luciotato, work is already in progress for this one.

[ilblackdragon]

Related, given Apple's recent debacle - this same registry can be leveraged to also track relationship of both software source code and binary to developers when running it.

External verifications (challenge) is possible to confirm that for open source software indeed this binary is compiled from given source code.

[dpc]

Hi. I'm the initial creator of https://github.com/crev-dev/crev/ which is exactly what you describe here (I think?). It uses a self-generated cryptographic identities and a flexible (and swappable and customizable) Web of Trust to establish trust, and arbitrary review distribution mechanisms.

It also has an already implemented Rust programming language integration, that you can test by installing cargo-crev and some user documentation to help with getting started and understanding it. https://docs.rs/cargo-crev/0.18.0/cargo_crev/doc/user/index.html

It also has real active users (though not that many yet), and according to my knowledge is the most practical and wholesome attempt at solving distributed open source trust and code auditing problem.

Feel free to ask any questions, either here or on user Matrix channel https://matrix.to/#/!uBhYhtcoNlyEbzfYAW:matrix.org

[ilblackdragon]

See post with current status: https://gov.near.org/t/audit-registry-add-accountability-and-visibility-of-which-applications-were-reviewed-and-by-whom/234

[cameron-NEAR]

Hey @ilblackdragon, this bounty looks completed but I want to double check before closing it. Has it been paid? If so, can I close it?

@crosschainlabs

[ilblackdragon]

Yep, it's complete in the current form.