David Huseby, Hyperledger Security Maven
As part of the software development process at Hyperledger, any project that reaches their 1.0 milestone must have a security audit conducted by an outside firm. As we did with the Hyperledger Fabric security audit, we hired the audit firm Nettitude to also audit Hyperledger Sawtooth. Today we are announcing the publication of the audit report.
The audit found a mix of issues from low priority all the way to one high priority issue. This report further supports the rule that fresh eyes find bugs. The one high priority issue was incorrect file permissions on the file storing a private key. It’s little mistakes like that, that are sometimes the hardest to see when you’ve been staring at the same files and code for months.
Thanks to the persistence and attention to detail of the Nettitude analysts, Hyperledger Sawtooth is that much better today. The overall low number of issues is a testament to the dedication and skill of the Hyperledger Sawtooth community. With the publication of this audit report, we close out the 1.0 process for Hyperledger Sawtooth and hopefully make good on the promise of the open source process.