Hi ReddCoin dev team / community
ReddCoin is very much once again in the public eye and as such will start to attract scammers and malicious actors left right and centre. Just looking back at previous releases of the ReddCoin core wallet I have a few suggestions that will provide a grounding in security good practise for the project going forwards:
- Generate a code signing certificate on an offline machine and keep the associated private key hidden / locked away forever, never let it touch anything connected to the internet
- Publish the certificate’s public key on the ReddCoin talk website front and centre for anyone to validate against
- Sign your release binaries with your new code signing certificate! Unsigned binaries are just not acceptable in 2018
- Provide SHA-1 hashes of all release binaries on the ReddCoin downloads page
- Employ a professional pen testing company to thoroughly pen-test the ReddCoin client, fix any vulns, re-test and publish the resulting write-up to show its been secured - this is not cheap but we are talking billion dollar market cap here right?
As the market cap grows the price of a breach becomes ever higher the software development team need to demonstrate they have undertaken reasonable steps to ensure user security (at least 1-4)
Suggestion 5 would just be what sets this coin apart form the rest of the vulnerability ridden masses, yes its all open source but has anyone had a crack at breaking it? Those private keys sitting in memory whilst staking would make for a very tempting attacker target.