Acknowledgement & Review
As the lead for product security, I want to take a moment to acknowledge the recent article and disclosure by a member of our community. Ben Tasker recently published a writeup about some security concerns related to key generation and garbage collection. Some of the issues were originally raised here via the developers platform and an excellent conversation started shortly thereafter. On behalf of the Security and Development teams I wanted to personally extend our thanks to Ben Tasker for spending his valuable time and effort to review the published source code and voice his concerns so that we can assess them, and where necessary, enhance the security of the Bitfi product. If you want to read his article you can find it here: View Article If you would like to follow the discussion on Bitfi.dev please take a look at the link here: View Developer Discussion
A few words about security at Bitfi
Security is at the very core of blockchain technology, and for our developers and security team to be successful in earning and maintaining users and the communities trust we recognize the significant benefit of a positive and open conversation regarding any security concerns that a developer or researcher may identify. Security is an evolutionary and ongoing process, and even the best developers can make mistakes. In the often tumultuous world of data breaches, vulnerabilities and software bugs every product will face security challenges and opportunities for enhancement will arise. At Bitfi we have a dedicated security team as well as third party labs which are actively analyzing the products hardware and software to uncover these opportunities, and to develop innovative and appropriate solutions to address challenges that may arise. Part of this teams responsibility is doing something we call Validation, Verification, and Triage. The VVT process enables us to review bug reports and collaborate with the researcher and development team to validate the findings, and triage any legitmate bugs reported to us so that they can be resolved quickly and properly. This process also allows for a collaborative approach to vulnerability mitigation by involving the researcher in each phase of the process including verification of appropriate solutions to any disclosed bug.
We have published a Vulnerability Disclosure Policy here on Bitfi.dev, and we encourage you to take the time to read it before submitting a vulnerability to us. This policy is based off of the Disclose.io framework and was recently adopted by our security team to offer Safe Harbor and Specific Guidelines to researchers and developers who wish to disclose a security issue in a responsible and coordinated manner. This is an industry best practice and ensures the protection of all parties and our customers while recognizing the need for trust and transparency. You can find the Policy here: View our Vulnerability Disclosure Policy
FAQ on recent memory bug
Getting back to Ben’s disclosure. We wanted to let everyone know where things stand and what to expect from us.
While Ben published his findings publicly he also was not aware of our Vulnerability Disclosure Policy and was acting in what we feel to be good faith. The concerns raised regarding the key generation are going through our VVT process, and if verified and validated we will implement appropriate mitigations which will be pushed to affected devices automatically. The development team is actively engaged in this process and we anticipate a timely resolution to any validated and verified issues. Upon completion of any code changes and internal testing we will privately share those changes with Ben for verification that any valid issues he has identified have been resolved. Once that has been successfuly verified by our team and Ben an update will immediately become available to users via our automatic update mechanism. We will also publish any changes to the code here on Bitfi.dev and update the developers solution pack accordingly to reflect any changes. We will add further updates as they occur. If you are a user and you have a security concern related to your device please reach out to our Support Team or post a message here on Bitfi.dev and one of our team will be happy to respond to you. Thank you for putting your trust in us, and thank you to all of the researchers, developers and other community members who are actively aiding us in enhancing the security and privacy of our users through responsible, ethical and coordinated disclosure of security concerns.