rich1.0Final wroteFinal (npub1hx…sg75y)https://yabu.me/npub1hxx76n82ags8jrduk0p3gqrfyqyaxnrlnynu9p5rt2vmwjq6ts3q4sg75ynjumphttps://yabu.meDiscussed this in a SimpleX chat yesterday, but worth thinking leaving thoughts here:
A software project that has received a fancy, formal security / privacy audit document shouldn't be considered a gold standard of trust alone. It is a practice that should build a larger image of trust. There's a lot that goes into an application being trustworthy or not.
A PDF file from a team / field expert saying a program is good can only go so far. Just because a project may not have a document like this, doesn't mean they are not held under heavy scrutiny or that they do not have trust. It isn't always possible, not may it be fitting to review certain software in such a manner. In fact audited projects may be less scrutinised.
A project can be audited but miss out on having potential important security / privacy features. Would you rather use a wallet that was alike to Bitcoin Core that had such a PDF you could read, or would you use a wallet like Samourai (forks) or Wasabi that didn't, knowing it had privacy features?
Audits need to be continuous to be most effective. Software that is rapidly updating, adding new features, or ends up changing the architecture significantly are not a good fit for one-time audits. The document would just be an advertising gimmick and nothing more, since it either covers code doesnt exist now, or doesn't cover code that exists now.
Security reviews shouldn't be a one time. A far better merit is an application being targeted by security researchers frequently, and vulnerability disclosures are a good sign of scrutinised, improving software.
For something like GrapheneOS or a Linux distribution, these things don't work due to the sheer size of the projects and different conditions of users. Security researchers should routinely attempt to uncover vulnerabilities and developers should be campaigned to shift left.
These formal reviews do work better for single user facing software projects, or for online services to prove technical claims about their services. But it doesn't mean that it would always be the same since the latest being published though.