New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Any Plan for Code Audit #2310
Comments
([frightened] Begger don't dare to say anything. )
Feb 8, 2023 20:01:37 sr093906 ***@***.***>:
… As a key project helping people bypass network restriction, do you have any plan to conduct professional code audit to ensure security of user and project itself?
Maybe cure53?
For audit fee, you can raise money from users and even proxy services relying on v2ray-core. It is a win-win in my opinion,
—
Reply to this email directly, view it on GitHub[#2310], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYESQ4DQ4DEXN65275TWWODKBANCNFSM6AAAAAAUVFJDQU].
You are receiving this because you are subscribed to this thread.[Tracking image][https://github.com/notifications/beacon/AKGBAYHWYXR6EAVWS6RC54TWWODKBA5CNFSM6AAAAAAUVFJDQWWGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHF3355GU.gif]
|
It's a great idea, but it's hard to raise the money needed to audit the code. As an open source project, V2Ray relies on unpaid audits by developers and researchers. |
It is not an impossible task. With a big user base, financial contribution can be expected if you ask, and code auditor may offer service at discounted price for public-interest project. I am cognizant of the difficulties though.It will be hard without trusted major sponsors and even risky since attackers may reveal developers' real identities via transaction records. |
Based on information from https://www.coreinfrastructure.org/programs/audit-program/, a cost review cost anywhere from 15K ~ 38K for a code base at V2Ray's scale, and the cost would be significantly harder if dependency of V2Ray are included in the review. We don't currently have any plan for a fundraising at that scale(the corejs author claim to receive as little as $400 a month in the readme, after extensive funding effort). So, to answer your question, we won't be able to afford it even with fundraising. (And it is not like any of the author can just absorb this cost like other minor expense V2Ray have.) That being said, we are more than happy if there is someone run a code audit of V2Ray, at their own cost, and share their finding with us. If anyone are still determined to get V2Ray a code audit, there is a Red Team Lab from USAGM's OTF that claim to provide code audit at their own cost. If someone is willing to contact them and negotiate a code audit, at their own cost, please comment in the thread. |
This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days |
making comment to keep the issue open |
This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days |
As a key project helping people bypass network restriction, do you have any plan to conduct professional code audit to ensure security of user and project itself?
Maybe cure53?
https://cure53.de/
For audit fee, you can raise money from users and even proxy services relying on v2ray-core. It is a win-win in my opinion,
The text was updated successfully, but these errors were encountered: