CardanoPress: Security Audits, Improvements & Optimisations

[GENERAL] Name and surname of main applicant

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

PatchStack, a WordPress security firm, will conduct a third-party audit for CardanoPress. We'll apply their recommendations to enhance security for all new and existing projects built on CardanoPress.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

Our project does have a dependency on PatchStack, the chosen security auditing firm. Their audit is crucial for improving CardanoPress's security. We have aligned their work with & delivery of the report to our schedule and plan to implement their recommendations for ongoing security improvements.

In case PatchStack cannot meet the requirement, we have alternative auditing and security firms ready to assess our WordPress code base.

[GENERAL] Will your project’s output/s be fully open source?

[GENERAL] Please provide here more information on the open source status of your project outputs

CardanoPress is already open source, adhering to WordPress's GPLv2 license requirements. Our frameworks, plugins, and themes will all continue to be governed by the GPLv2 open-source license.

Furthermore, the security audit report from our security auditing firm will be publicly available after incorporating improvements and patches into our codebase for a new version release. This commitment underscores our dedication to transparency and community involvement.

[SOLUTION] Please describe your proposed solution.

Perception of the Problem:

The problem is the security and integrity of CardanoPress, an open-source Cardano solution used by non-technical users.

Ensuring security is vital to protect users, as they lack technical skills to audit or verify code. With 100+ active projects using CardanoPress, it's essential for their online security.

Approach Rationale:

The chosen approach is to collaborate with PatchStack, a reputable security auditing firm, for a comprehensive security audit. This decision aims to uphold the highest security standards, adhere to open-source guidelines (GPLv2), and prioritise transparency. This practice aligns with industry norms, as many plugin developers and WordPress builders rely on firms like PatchStack to enhance their codebase and address security vulnerabilities. Additionally, contingency plans involving alternative auditing firms ensure project integrity is safeguarded.

Engagement Strategy:

The project engages the Cardano community and developers who use CardanoPress for their projects. It also involves collaboration with PatchStack for security auditing. The open-source nature of the project encourages a broader community to contribute to its development and security.

Demonstration of Impact

• Security Audit Report: The release of a comprehensive security audit report will offer full transparency regarding vulnerabilities and areas for enhancement within CardanoPress.
• Implementation of Improvements: Subsequent updates and alterations to CardanoPress will be a direct reflection of the recommendations from the security audit, ensuring a secure codebase.
• Commitment to Transparency: Our adherence to open-source principles, with all code governed by GPLv2, will continue our commitment to transparency and encourage community involvement.
• Measurable Impact: The quantifiable impact will be gauged by the number of CardanoPress sites that update to the latest version, incorporating these security enhancements. This not only illustrates our dedication to fortifying security but also boosts user confidence in the platform.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community.

The success of our project will greatly benefit the Cardano Community by instilling confidence in all builders and users. It ensures they are utilising a highly secure code base, free from potential vulnerabilities and built-in exploits. While some users possess the technical know-how to verify code independently, not everyone can. A comprehensive third-party audit provides the level of trust necessary for the widespread adoption of our product.

To measure our impact, we will track the number of updated installations and new installations following the release and marketing of the newly audited build. This quantitative data will demonstrate the community's response and their trust in the enhanced security.

Our outputs and project results will be readily accessible on GitHub, with committed versions tagged as the "Security Audit Release." Alongside this, we will share the audit report from the security firm. We will actively communicate updates and data through our CardanoPress Twitter account, @cardanopress, ensuring the community is well-informed.

Additionally, we will record statistics on the core plugins WordPress.org listing (https://wordpress.org/plugins/cardanopress/) to provide insight into which CardanoPress versions users are utilising. Success will be evident as users transition to the latest Security Audit Release version, reflecting the increased trust and value our project brings to the Cardano Community.

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

Trust and accountability are paramount in delivering this project. I, Peter Bui, am a prominent figure in the Cardano community, serving as a Cardano Ambassador and actively contributing as a Cardano-focused YouTuber, Learn Cardano. I also hold ambassador roles in various Cardano projects, such as Genius Yield, Fluid Tokens, NEWM, and Token Allies.

Additionally, I operate the ADAOZ stake pool with over 5000 individual wallets delegated to the pool.

Our track record includes successfully delivering three previous proposals in Fund 9, all aimed at kickstarting the CardanoPress ecosystem, culminating in the plugin's launch and community support.

Please see our previously funded and completed projects.

• CardanoPress: A Plugin for Builders
• CardanoPress: ISPO Dashboard
• CardanoPress: Governance

Our approach, involving a security audit and subsequent improvements, aligns with standard industry practices, ensuring robust security.

Our existing capabilities further demonstrate our suitability for this project:

1. We are the original developers of the CardanoPress plugin, dedicating two years to its development.
2. With over 15 years of experience in web development and extensive WordPress knowledge, we possess the expertise necessary for this project.
3. Our extensive engagement with Cardano projects and technology over nearly three years displays our familiarity and commitment to the Cardano ecosystem.

Our history of active involvement, development experience, and community presence instill confidence in our ability to manage funds and deliver this project effectively and responsibly.

[Project Milestones] What are the key milestones you need to achieve in order to complete your project successfully?

Obtaining the Audit

The first and most important part of the project is obtaining the audit from the security firm.

This milestone will be considered complete once the security audit firm provide us with the audit report for analysis and review. This audit can be shared with Catalyst reviewers to confirm that the audit has been conducted and complete by the firm.

Acceptance criteria in this case would be receiving the audit report to be able to work upon.

Acting on the Audit

Once the audit has been received, this is when the real work for our team begins. Based on the recommendations, the CardanoPress team will work through and implement changes where possible that make sense to meet the recommendations in the report.

All code and improvements will be committed to our Github repository a high level of transparency for the wider Cardano community.

Acceptance criteria in this case would be the completed submission of required code to meet the recommendations of the security audit, committed to GitHub.

Validating the Patches & Improvements

Once out team have completed all the improvements and recommendations, the security audit firm will review and revise their audit report once again to confirm that all recommendations have been implemented to standard.

Upon verification, the team will release the Security Audit Release to the wide Cardano and WordPress community to install and download via Github and WordPress.org.

Acceptance criteria in milestone 3 would be the submission and public release of all the code to the community via WordPress.org and Github in the Security Audit Release.

[RESOURCES] Who is in the project team and what are their roles?

Peter Bui:

Peter is the proprietor of PB Web Development/Mesh With Us, overseeing the business since 2013. With a wealth of experience in web development, particularly within the WordPress ecosystem, and a solid track record in working on Cardano-based projects, his expertise is well-suited for project delivery.

• https://www.linkedin.com/in/peterbui1/
• https://twitter.com/astroboysoup

Gene Torcende:

Gene has been an integral part of PB Web Development since 2015, bringing years of expertise in WordPress development. His experience spans client website implementation and custom plugin design and development, making him a valuable asset for the CardanoPress project. Gene serves as the project's primary contributor and developer, actively crafting solutions to meet the needs of various Cardano projects.

• https://github.com/kermage/

PatchStack

PatchStack.com is a highly reputable security audit firm chosen for our code assessment. With a strong presence in the cybersecurity domain, PatchStack boasts extensive experience and expertise in identifying vulnerabilities and enhancing digital security. Their team of seasoned professionals is dedicated to safeguarding digital landscapes, making them a trusted partner for businesses and organizations seeking comprehensive security solutions. PatchStack's commitment to thorough assessments and their track record of delivering actionable recommendations make them a valuable asset in our pursuit of a more secure CardanoPress ecosystem.

For more information about PatchStack and their services, you can visit their website at https://patchstack.com/about/.

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources.

Budget break down according to milestone stage and resource

We're basing our total project cost being approximately $22,000 USD which converts to the requested 40,000 ADA at today's price of ADA. Time estimates for each milestone are provided in monthly periods.

We've broken down the budget into 4 cost types:

• Project management (PM)
• Development (DEV)
• Marketing & Comms (MC)
• Third party (TP)

Milestone 1 - The Audit (1-2 Months)

• (PM) $1,000 - Project management
• (TP) $8,000 - Security audit by PatchStack (Fixed cost)

Estimated 1-2 Month turn around as we are dependent on a third party provider.

Milestone 2 - Acting on the Audit (1 month)

• (DEV) $8,000 - Development
• (PM) $1,000 - Project management

Estimated 1 month turn around on this milestone

Final Milestone - Validating the Patches & Improvements (1 month)

• (PM) $1,000 - Project management
• (TP) $1,000 - Re-assessment of changes from the audit by PatchStack & re-audit assessment
• (DEV) $1,000 - Development, Deployment & publishing of audit report and Security Audit Release of CardanoPress
• (MC) $1,000 - Marketing and communication for the release of the more secure release via PR agencies, WordPress and Cardano related channels

Estimated 1 month turn around for the re-audit assessment on this milestone and publishing, releasing the updated plugin and communications around it.

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

The cost of our project represents exceptional value for the Cardano ecosystem. Compared to many other projects, our request for funds is notably low, primarily because it doesn't necessitate smart contract audits, which can significantly inflate expenses.

Our pricing structure for project management, marketing, and internal development is based on a reasonable and competitive rate of $100 USD per hour for the work involved. This rate aligns with typical freelance rates in the industry, ensuring cost-effectiveness.

Regarding the security audit cost, it was determined through a quotation provided by the PatchStack CEO, considering the state of our codebase during its last review. Since then, our codebase has experienced some growth, and we have made adjustments for costs and inflation to ensure fairness and accuracy in budgeting. This meticulous cost assessment ensures that the project represents excellent value for money within the Cardano ecosystem.

In conclusion, the cost of this project accounts for just over 0.381% of the total budget allocation for its category. This modest investment ensures the continued security and functionality of a free-to-use, open-source plug-and-play platform, benefiting creators and builders within the Cardano community. It exemplifies a prudent use of resources, offering considerable value to the Cardano ecosystem.

[IMPORTANT NOTE] The Applicant agrees to Fund Rules and also that data in the submission form and other data provided by the project team during the course of the project will be publicly available.