Last updated 4 days ago
CardanoPress is a great choice for Cardano projects, facilitating website development. However, a third-party security audit is vital to protect the broader community and ensure maximum safety.
This is the total amount allocated to CardanoPress: Security Audits, Improvements & Optimisations. 3 out of 3 milestones are completed.
1/3
Obtaining the Audit
Cost: ₳ 12,000
Delivery: Month 2 - May 2024
2/3
Acting on the Audit
Cost: ₳ 12,000
Delivery: Month 3 - Jun 2024
3/3
Validating the Patches & Improvements
Cost: ₳ 16,000
Delivery: Month 4 - Jul 2024
PatchStack, a WordPress security firm, will conduct a third-party audit for CardanoPress. We'll apply their recommendations to enhance security for all new and existing projects built on CardanoPress.
Our project does have a dependency on PatchStack, the chosen security auditing firm. Their audit is crucial for improving CardanoPress's security. We have aligned their work with & delivery of the report to our schedule and plan to implement their recommendations for ongoing security improvements.
In case PatchStack cannot meet the requirement, we have alternative auditing and security firms ready to assess our WordPress code base.
CardanoPress is already open source, adhering to WordPress's GPLv2 license requirements. Our frameworks, plugins, and themes will all continue to be governed by the GPLv2 open-source license.
Furthermore, the security audit report from our security auditing firm will be publicly available after incorporating improvements and patches into our codebase for a new version release. This commitment underscores our dedication to transparency and community involvement.
Perception of the Problem:
The problem is the security and integrity of CardanoPress, an open-source Cardano solution used by non-technical users.
Ensuring security is vital to protect users, as they lack technical skills to audit or verify code. With 100+ active projects using CardanoPress, it's essential for their online security.
Approach Rationale:
The chosen approach is to collaborate with PatchStack, a reputable security auditing firm, for a comprehensive security audit. This decision aims to uphold the highest security standards, adhere to open-source guidelines (GPLv2), and prioritise transparency. This practice aligns with industry norms, as many plugin developers and WordPress builders rely on firms like PatchStack to enhance their codebase and address security vulnerabilities. Additionally, contingency plans involving alternative auditing firms ensure project integrity is safeguarded.
Engagement Strategy:
The project engages the Cardano community and developers who use CardanoPress for their projects. It also involves collaboration with PatchStack for security auditing. The open-source nature of the project encourages a broader community to contribute to its development and security.
Demonstration of Impact
The success of our project will greatly benefit the Cardano Community by instilling confidence in all builders and users. It ensures they are utilising a highly secure code base, free from potential vulnerabilities and built-in exploits. While some users possess the technical know-how to verify code independently, not everyone can. A comprehensive third-party audit provides the level of trust necessary for the widespread adoption of our product.
To measure our impact, we will track the number of updated installations and new installations following the release and marketing of the newly audited build. This quantitative data will demonstrate the community's response and their trust in the enhanced security.
Our outputs and project results will be readily accessible on GitHub, with committed versions tagged as the "Security Audit Release." Alongside this, we will share the audit report from the security firm. We will actively communicate updates and data through our CardanoPress Twitter account, @cardanopress, ensuring the community is well-informed.
Additionally, we will record statistics on the core plugins WordPress.org listing (https://wordpress.org/plugins/cardanopress/) to provide insight into which CardanoPress versions users are utilising. Success will be evident as users transition to the latest Security Audit Release version, reflecting the increased trust and value our project brings to the Cardano Community.
Trust and accountability are paramount in delivering this project. I, Peter Bui, am a prominent figure in the Cardano community, serving as a Cardano Ambassador and actively contributing as a Cardano-focused YouTuber, Learn Cardano. I also hold ambassador roles in various Cardano projects, such as Genius Yield, Fluid Tokens, NEWM, and Token Allies.
Additionally, I operate the ADAOZ stake pool with over 5000 individual wallets delegated to the pool.
Our track record includes successfully delivering three previous proposals in Fund 9, all aimed at kickstarting the CardanoPress ecosystem, culminating in the plugin's launch and community support.
Please see our previously funded and completed projects.
Our approach, involving a security audit and subsequent improvements, aligns with standard industry practices, ensuring robust security.
Our existing capabilities further demonstrate our suitability for this project:
Our history of active involvement, development experience, and community presence instill confidence in our ability to manage funds and deliver this project effectively and responsibly.
Obtaining the Audit
The first and most important part of the project is obtaining the audit from the security firm.
This milestone will be considered complete once the security audit firm provide us with the audit report for analysis and review. This audit can be shared with Catalyst reviewers to confirm that the audit has been conducted and complete by the firm.
Acceptance criteria in this case would be receiving the audit report to be able to work upon.
Acting on the Audit
Once the audit has been received, this is when the real work for our team begins. Based on the recommendations, the CardanoPress team will work through and implement changes where possible that make sense to meet the recommendations in the report.
All code and improvements will be committed to our Github repository a high level of transparency for the wider Cardano community.
Acceptance criteria in this case would be the completed submission of required code to meet the recommendations of the security audit, committed to GitHub.
Validating the Patches & Improvements
Once out team have completed all the improvements and recommendations, the security audit firm will review and revise their audit report once again to confirm that all recommendations have been implemented to standard.
Upon verification, the team will release the Security Audit Release to the wide Cardano and WordPress community to install and download via Github and WordPress.org.
Acceptance criteria in milestone 3 would be the submission and public release of all the code to the community via WordPress.org and Github in the Security Audit Release.
Peter Bui:
Peter is the proprietor of PB Web Development/Mesh With Us, overseeing the business since 2013. With a wealth of experience in web development, particularly within the WordPress ecosystem, and a solid track record in working on Cardano-based projects, his expertise is well-suited for project delivery.
Gene Torcende:
Gene has been an integral part of PB Web Development since 2015, bringing years of expertise in WordPress development. His experience spans client website implementation and custom plugin design and development, making him a valuable asset for the CardanoPress project. Gene serves as the project's primary contributor and developer, actively crafting solutions to meet the needs of various Cardano projects.
PatchStack
PatchStack.com is a highly reputable security audit firm chosen for our code assessment. With a strong presence in the cybersecurity domain, PatchStack boasts extensive experience and expertise in identifying vulnerabilities and enhancing digital security. Their team of seasoned professionals is dedicated to safeguarding digital landscapes, making them a trusted partner for businesses and organizations seeking comprehensive security solutions. PatchStack's commitment to thorough assessments and their track record of delivering actionable recommendations make them a valuable asset in our pursuit of a more secure CardanoPress ecosystem.
For more information about PatchStack and their services, you can visit their website at https://patchstack.com/about/.
Budget break down according to milestone stage and resource
We're basing our total project cost being approximately $22,000 USD which converts to the requested 40,000 ADA at today's price of ADA. Time estimates for each milestone are provided in monthly periods.
We've broken down the budget into 4 cost types:
Milestone 1 - The Audit (1-2 Months)
Estimated 1-2 Month turn around as we are dependent on a third party provider.
Milestone 2 - Acting on the Audit (1 month)
Estimated 1 month turn around on this milestone
Final Milestone - Validating the Patches & Improvements (1 month)
Estimated 1 month turn around for the re-audit assessment on this milestone and publishing, releasing the updated plugin and communications around it.
The cost of our project represents exceptional value for the Cardano ecosystem. Compared to many other projects, our request for funds is notably low, primarily because it doesn't necessitate smart contract audits, which can significantly inflate expenses.
Our pricing structure for project management, marketing, and internal development is based on a reasonable and competitive rate of $100 USD per hour for the work involved. This rate aligns with typical freelance rates in the industry, ensuring cost-effectiveness.
Regarding the security audit cost, it was determined through a quotation provided by the PatchStack CEO, considering the state of our codebase during its last review. Since then, our codebase has experienced some growth, and we have made adjustments for costs and inflation to ensure fairness and accuracy in budgeting. This meticulous cost assessment ensures that the project represents excellent value for money within the Cardano ecosystem.
In conclusion, the cost of this project accounts for just over 0.381% of the total budget allocation for its category. This modest investment ensures the continued security and functionality of a free-to-use, open-source plug-and-play platform, benefiting creators and builders within the Cardano community. It exemplifies a prudent use of resources, offering considerable value to the Cardano ecosystem.