completed
CardanoPress: Security Audits, Improvements & Optimisations
Current Project Status
Complete
Amount
Received
₳24,000
Amount
Requested
₳40,000
Percentage
Received
60.00%
Solution

PatchStack, a WordPress security firm, will conduct a third-party audit for CardanoPress. We’ll apply their recommendations to enhance security for all new and existing projects built on CardanoPress.

Problem

CardanoPress is a great choice for Cardano projects, facilitating website development. However, a third-party security audit is vital to protect the broader community and ensure maximum safety.

Impact Alignment
Feasibility
Value for money

Team

1 member

CardanoPress: Security Audits, Improvements & Optimisations

Please describe your proposed solution.

Perception of the Problem:

The problem is the security and integrity of CardanoPress, an open-source Cardano solution used by non-technical users.

Ensuring security is vital to protect users, as they lack technical skills to audit or verify code. With 100+ active projects using CardanoPress, it's essential for their online security.

Approach Rationale:

The chosen approach is to collaborate with PatchStack, a reputable security auditing firm, for a comprehensive security audit. This decision aims to uphold the highest security standards, adhere to open-source guidelines (GPLv2), and prioritise transparency. This practice aligns with industry norms, as many plugin developers and WordPress builders rely on firms like PatchStack to enhance their codebase and address security vulnerabilities. Additionally, contingency plans involving alternative auditing firms ensure project integrity is safeguarded.

Engagement Strategy:

The project engages the Cardano community and developers who use CardanoPress for their projects. It also involves collaboration with PatchStack for security auditing. The open-source nature of the project encourages a broader community to contribute to its development and security.

Demonstration of Impact

  • Security Audit Report: The release of a comprehensive security audit report will offer full transparency regarding vulnerabilities and areas for enhancement within CardanoPress.
  • Implementation of Improvements: Subsequent updates and alterations to CardanoPress will be a direct reflection of the recommendations from the security audit, ensuring a secure codebase.
  • Commitment to Transparency: Our adherence to open-source principles, with all code governed by GPLv2, will continue our commitment to transparency and encourage community involvement.
  • Measurable Impact: The quantifiable impact will be gauged by the number of CardanoPress sites that update to the latest version, incorporating these security enhancements. This not only illustrates our dedication to fortifying security but also boosts user confidence in the platform.

Please define the positive impact your project will have on the wider Cardano community.

The success of our project will greatly benefit the Cardano Community by instilling confidence in all builders and users. It ensures they are utilising a highly secure code base, free from potential vulnerabilities and built-in exploits. While some users possess the technical know-how to verify code independently, not everyone can. A comprehensive third-party audit provides the level of trust necessary for the widespread adoption of our product.

To measure our impact, we will track the number of updated installations and new installations following the release and marketing of the newly audited build. This quantitative data will demonstrate the community's response and their trust in the enhanced security.

Our outputs and project results will be readily accessible on GitHub, with committed versions tagged as the "Security Audit Release." Alongside this, we will share the audit report from the security firm. We will actively communicate updates and data through our CardanoPress Twitter account, @cardanopress, ensuring the community is well-informed.

Additionally, we will record statistics on the core plugins WordPress.org listing (<https://wordpress.org/plugins/cardanopress/>) to provide insight into which CardanoPress versions users are utilising. Success will be evident as users transition to the latest Security Audit Release version, reflecting the increased trust and value our project brings to the Cardano Community.

What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

Trust and accountability are paramount in delivering this project. I, Peter Bui, am a prominent figure in the Cardano community, serving as a Cardano Ambassador and actively contributing as a Cardano-focused YouTuber, Learn Cardano. I also hold ambassador roles in various Cardano projects, such as Genius Yield, Fluid Tokens, NEWM, and Token Allies.

Additionally, I operate the ADAOZ stake pool with over 5000 individual wallets delegated to the pool.

Our track record includes successfully delivering three previous proposals in Fund 9, all aimed at kickstarting the CardanoPress ecosystem, culminating in the plugin's launch and community support.

Please see our previously funded and completed projects.

Our approach, involving a security audit and subsequent improvements, aligns with standard industry practices, ensuring robust security.

Our existing capabilities further demonstrate our suitability for this project:

  1. We are the original developers of the CardanoPress plugin, dedicating two years to its development.
  2. With over 15 years of experience in web development and extensive WordPress knowledge, we possess the expertise necessary for this project.
  3. Our extensive engagement with Cardano projects and technology over nearly three years displays our familiarity and commitment to the Cardano ecosystem.

Our history of active involvement, development experience, and community presence instill confidence in our ability to manage funds and deliver this project effectively and responsibly.

What are the key milestones you need to achieve in order to complete your project successfully?

Obtaining the Audit

The first and most important part of the project is obtaining the audit from the security firm.

This milestone will be considered complete once the security audit firm provide us with the audit report for analysis and review. This audit can be shared with Catalyst reviewers to confirm that the audit has been conducted and complete by the firm.

Acceptance criteria in this case would be receiving the audit report to be able to work upon.

>Acting on the Audit

Once the audit has been received, this is when the real work for our team begins. Based on the recommendations, the CardanoPress team will work through and implement changes where possible that make sense to meet the recommendations in the report.

All code and improvements will be committed to our Github repository a high level of transparency for the wider Cardano community.

Acceptance criteria in this case would be the completed submission of required code to meet the recommendations of the security audit, committed to GitHub.

>Validating the Patches & Improvements

Once out team have completed all the improvements and recommendations, the security audit firm will review and revise their audit report once again to confirm that all recommendations have been implemented to standard.

Upon verification, the team will release the Security Audit Release to the wide Cardano and WordPress community to install and download via Github and WordPress.org.

Acceptance criteria in milestone 3 would be the submission and public release of all the code to the community via WordPress.org and Github in the Security Audit Release.

Who is in the project team and what are their roles?

Peter Bui:

Peter is the proprietor of PB Web Development/Mesh With Us, overseeing the business since 2013. With a wealth of experience in web development, particularly within the WordPress ecosystem, and a solid track record in working on Cardano-based projects, his expertise is well-suited for project delivery.

  • <https://www.linkedin.com/in/peterbui1/>
  • <https://twitter.com/astroboysoup>

Gene Torcende:

Gene has been an integral part of PB Web Development since 2015, bringing years of expertise in WordPress development. His experience spans client website implementation and custom plugin design and development, making him a valuable asset for the CardanoPress project. Gene serves as the project's primary contributor and developer, actively crafting solutions to meet the needs of various Cardano projects.

  • <https://github.com/kermage/ >

PatchStack

PatchStack.com is a highly reputable security audit firm chosen for our code assessment. With a strong presence in the cybersecurity domain, PatchStack boasts extensive experience and expertise in identifying vulnerabilities and enhancing digital security. Their team of seasoned professionals is dedicated to safeguarding digital landscapes, making them a trusted partner for businesses and organizations seeking comprehensive security solutions. PatchStack's commitment to thorough assessments and their track record of delivering actionable recommendations make them a valuable asset in our pursuit of a more secure CardanoPress ecosystem.

For more information about PatchStack and their services, you can visit their website at <https://patchstack.com/about/>.

Please provide a cost breakdown of the proposed work and resources.

Budget break down according to milestone stage and resource

We're basing our total project cost being approximately $22,000 USD which converts to the requested 40,000 ADA at today's price of ADA. Time estimates for each milestone are provided in monthly periods.

We've broken down the budget into 4 cost types:

  • Project management (PM)
  • Development (DEV)
  • Marketing & Comms (MC)
  • Third party (TP)

Milestone 1 - The Audit (1-2 Months)

  • (PM) $1,000 - Project management
  • (TP) $8,000 - Security audit by PatchStack (Fixed cost)

Estimated 1-2 Month turn around as we are dependent on a third party provider.

Milestone 2 - Acting on the Audit (1 month)

  • (DEV) $8,000 - Development
  • (PM) $1,000 - Project management

Estimated 1 month turn around on this milestone

Final Milestone - Validating the Patches & Improvements (1 month)

  • (PM) $1,000 - Project management
  • (TP) $1,000 - Re-assessment of changes from the audit by PatchStack & re-audit assessment
  • (DEV) $1,000 - Development, Deployment & publishing of audit report and Security Audit Release of CardanoPress
  • (MC) $1,000 - Marketing and communication for the release of the more secure release via PR agencies, WordPress and Cardano related channels

Estimated 1 month turn around for the re-audit assessment on this milestone and publishing, releasing the updated plugin and communications around it.

How does the cost of the project represent value for money for the Cardano ecosystem?

The cost of our project represents exceptional value for the Cardano ecosystem. Compared to many other projects, our request for funds is notably low, primarily because it doesn't necessitate smart contract audits, which can significantly inflate expenses.

Our pricing structure for project management, marketing, and internal development is based on a reasonable and competitive rate of $100 USD per hour for the work involved. This rate aligns with typical freelance rates in the industry, ensuring cost-effectiveness.

Regarding the security audit cost, it was determined through a quotation provided by the PatchStack CEO, considering the state of our codebase during its last review. Since then, our codebase has experienced some growth, and we have made adjustments for costs and inflation to ensure fairness and accuracy in budgeting. This meticulous cost assessment ensures that the project represents excellent value for money within the Cardano ecosystem.

In conclusion, the cost of this project accounts for just over 0.381% of the total budget allocation for its category. This modest investment ensures the continued security and functionality of a free-to-use, open-source plug-and-play platform, benefiting creators and builders within the Cardano community. It exemplifies a prudent use of resources, offering considerable value to the Cardano ecosystem.

close

Playlist

  • EP2: epoch_length

    Authored by: Darlington Kofa

    3m 24s
    Darlington Kofa
  • EP1: 'd' parameter

    Authored by: Darlington Kofa

    4m 3s
    Darlington Kofa
  • EP3: key_deposit

    Authored by: Darlington Kofa

    3m 48s
    Darlington Kofa
  • EP4: epoch_no

    Authored by: Darlington Kofa

    2m 16s
    Darlington Kofa
  • EP5: max_block_size

    Authored by: Darlington Kofa

    3m 14s
    Darlington Kofa
  • EP6: pool_deposit

    Authored by: Darlington Kofa

    3m 19s
    Darlington Kofa
  • EP7: max_tx_size

    Authored by: Darlington Kofa

    4m 59s
    Darlington Kofa
0:00
/
~0:00