BuboWerks just published our Recommended Risk Treatments for Cosmos Hub / Tendermint Validators. In association with that, we are announcing our fixed-price independent security assessments (or audit, if you prefer) for Cosmos Hub / Tendermint Validator operators. Here’s how it works:
- Download our contract for the work and ensure it meets your approval.
- Fill out our contact form and let us know you would like a Cosmos Hub / Tendermint Validator Assessment.
- We will contact you to receive your details and begin scheduling the assessment.
- We will send you a signed contract for countersignature.
- You can pay here in USD:
Alternatively, send Bitcoin or Ether payment to the addresses at the bottom of this page and email us with the origin address to associate the payment with you.
- The assessment will be performed remotely through a combination of technologies such as email, Skype, FaceTime, and WebEx for you to provide evidence that each control has been implemented, us to ask questions, and you to answer. Note that our recommended risk treatments are just that — recommendations: we will get to know about you and understand if those are right for your organization and consider any alternatives you may have instead. We are aiming for this to take about ten hours total, which may be done over a couple days or a couple weeks.
- We’ll process this information (and might have a few follow-on questions in the process) and get back to you in a few days with your confidential assessment report. If we believe your security is above the bar (essentially: if we feel safe using and delegating to your validator) you will also receive an assessment certificate that you can show off publicly.
Should you not pass, we can work with you to set up a reassessment after your controls have improved that need only look at the improved controls, and hence be even more cost-effective. This would need to be done in a reasonably short time period after the initial assessment (on the order of a few months) to ensure the other controls are still valid.
BuboWerks provides other services for validator operators, particularly controls implementation (if you need help setting up any of your security controls), and fractional-CISO services (if you don’t have the security expertise already in-house and don’t need a full-time CISO, this is a great option). In order for this assessment to remain independent, we regret we cannot offer it to clients who have already employed our other services. The reverse is not true — we can perform an assessment followed by controls implementation, but then we will not be able to perform the reassessment. This policy helps avoid any bias or conflict of interest such as was seen with Anderson at Enron.
This service is being offered at a fixed price of US$3000. We will also accept 1XBT (Bitcoin, or BTC) sent to 1DsEtGMaF9ihNEDor9mTHRYhtnuSfL7Xvy or 30ETH sent to 0xd45fC5B801F606E880622c42686b498e00D39722. Prices subject to change, although we will respect whatever the advertised price was when you signed up.