Ecosystem Audit Log and Tracking & Ecosystem Vulnerability Disclosure
Hi all, please see below a write up from one of the Polkadot Summit sessions that was held in Bangkok in 2024.
You can use the polkadot-summit tag to see all the other posts, and navigate to the summary post for a recap of the event.
11th March 2024 / POLKADOT SUMMIT ASIA
Host: Giovanny Gongora & Serhan Bahar
Element:@gioyik:parity.io | @serhan:parity.io
EmaiL gio@parity.io | serhan@parity.io
SUMMARY OF THE SESSION
This session, led by Giovanny Gongora and Serhan Bahar from Parity Technologies, focused on the Ecosystem Audit Log and Tracking & Ecosystem Vulnerability Disclosure. The motivation behind these initiatives is to enhance transparency, confidence, and security within the Polkadot/Kusama ecosystem by tracking which parts of the code have been audited and disclosing vulnerabilities in a manner that protects the network while informing developers.
Notes & key questions asked
Audit Log and Tracking Motivation:
- Emphasized the importance of transparency in audited code for cost efficiency, confidence in code reliability, and providing a secure foundation for building new features.
The Proposal for Audit Tracking:
-
Stage 1: Tracking audits per repository using Cargo Vet to create a supply chain folder for tracking Version Audits and Delta Audits or Violation Entries.
-
Stage 2: A central ‘supply-chain’ aggregator repository for organisations like Parity to collate all audit data, simplifying access for developers.
-
Stage 3: Developers use the ‘cargo vet’ command to verify the security of their systems with the aggregated audit records.
The End Goal:
- Establishing a robust and transparent audit verification process across the ecosystem, not limited to Parity but including Parachains and new projects.
Vulnerability Disclosure Motivation:
- Shared codebase across the Polkadot/Kusama ecosystem means common vulnerabilities can have widespread effects. Early disclosure helps teams patch vulnerabilities efficiently.
The Program Today:
- Initiated in late 2022 with a focus on responsible vs. public disclosure, the creation of disclosure channels, and policies for timely addressing critical and high vulnerabilities.
- Sources of vulnerabilities include 3rd party audits and security engineers at Parity, with a commitment to transparency and collaboration with Parachains.
How to Contribute and Collaborate:
- The session encouraged input on audit log tracking and vulnerability disclosure processes, integrating audit checks into development workflows, and collaborating on disclosure to enhance ecosystem security.
Q&A
-
What are the criteria to be involved in the common channel for sharing security vulnerability disclosures?
- Currently it is by-invitation only if you are a parachain
- However this becomes unclear when the operation goes into Coretime model when more chains can be involved periodically and should they be included? More to be discussed.
Key takeaways & next steps
For Audit Tracking:
- The community is encouraged to contribute to the forum post on Security Audit Log and Tracking, sharing experiences and preparing to integrate audit status checks into their development workflows.
For Vulnerability Disclosure:
- Parity emphasizes the importance of collaboration across the ecosystem for a more secure environment. Other companies are encouraged to disclose their audit findings, and developers are urged to make disclosures actionable, leveraging common security risks knowledge for prevention.
Next Steps:
- The initiatives invite widespread participation from the ecosystem to improve code security transparency and vulnerability handling processes, aiming for a more secure and trusted environment for all developers and users within the Polkadot/Kusama ecosystem. Contribute your opinions into the discussion here on these forum threads: