im working on a decentralized chat app. i open sourced it to get feedback on the implementation.

for a project like this, its important for it to be open source in order to gain user confidence in the security. but i find that the project is too complicated for pro-bono security assessment work (which is understandable).

fiverr probably isnt the best place to find reputable support, but i wanted to see the prices. it seems to range from 50 to 5k+

i wont be getting the support any time soon, but id like guage an estimate. i havent done something like this before so any/all advice is appriciated.

i created a threat-model which may help: https://positive-intentions.com/docs/research/threat-model/

to explain my app in more detail: https://medium.com/@positive.intentions.com/introducing-decentralized-chat-377c4aa37978

github repo: https://github.com/positive-intentions/chat

  • sandalbucket@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    6 months ago

    The threat model helps a lot.

    I work for a small consulting firm. We do security assessments, but not the kind you’re looking for. I don’t want to sell you anything.

    From your intro here, I would expect to book a resource on this project at 50% utilization (to avoid burnout) for about 3 weeks. One week of assessment, one week of report writing, and we’ll say a week of overhead / buffer (to get things rolling / ask questions / interviews / report readout). That’s a total of 60 hours.

    My employer is expensive; we charge about $300/hr per resource. That comes out to about $18k. I would call this an upper limit (though in truth there is no upper limit. If you put multiple $700/hr resources on a project and let them bring in SMEs, things get expensive fast)

    If you haven’t done a security review before, I wouldn’t worry - you aren’t ready for the $18k service, or the $1k service. You will need a 3rd-party certificate eventually, but right now all you need is trust from your userbase, and openness and transparency are a good initial strategy.

    When it’s time, throw a hundred bucks at a local college student who’s into cryptography. Then fix / address all their findings. Then go for the next level, and fix their findings. There will always be findings; what you are buying is user trust. The more in-depth the review, the more trustworthy - but you don’t want the expensive service to be distracted by things a college student could have caught.

    I am intoxicated and rambling - let me know what questions you have :)

    • xoronOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      thanks for the detailed information. this is the answer i was looking for.