Layer 1 blockchains like Sui must use a multi-pronged approach to ensure they maintain the highest level of security possible. One key part of Sui’s process is the use of third party security audits. It is important for the whole community to understand Sui’s security posture and how it is maintained, so this post provides insight into what audits are, why they are used, and how the findings are shared for Sui.
Third-party audits are an indispensable part of a comprehensive security posture. They provide an unbiased evaluation of the code itself as well as security controls, processes, and their effectiveness.
Auditors are industry and security experts, charged with conducting a thorough assessment of an organization, a whole product, or a specific piece of software. They help identify weaknesses, risks, and vulnerabilities that may have been overlooked internally through in-depth assessments and testing. The initial audit report details all potential problems as well as recommendations for the best way to fix them. Once all issues have been handled, the final report includes details of how the risk has been remediated.
At the Sui Foundation, we regularly use audits to ensure we maintain the highest level of security possible. We follow a set process for the intake, prioritization, mitigation, and communication of these reports.
- Findings intake: All reports are reviewed immediately upon receipt by the security team for remediation.
- Impact-based prioritization: Not all findings are equal in terms of their impact on our Sui's security posture. We prioritize findings based on their potential impact and address them accordingly. This helps us focus our resources on the most critical issues.
- Implementation roadmap: Once we’ve prioritized audit findings, we address critical findings pre-release and develop a roadmap for addressing any less critical findings. This roadmap includes timelines, resource allocation, and accountability measures to ensure that findings are addressed in a timely and effective manner.
- Continuous improvement: Findings by third parties are a valuable source of information for driving continuous improvement in Sui's security posture. We use the findings to identify areas for improvement and develop plans for addressing these areas.
- Share out: Audits will be made publicly available on sui.io and in GitHub.
- Community engagement and feedback: We want to engage the community early and often to ensure they understand the impact of the findings and the steps taken to address or magnify the results. We encourage feedback and are committed to addressing any concerns in Sui’s security posture.
Four recent audit reports are available now to read and review. We will continue to publish new reports in a timely manner. If there are any questions about how Sui Foundation undergoes independent auditing, or anything else related to Sui’s security posture, contact us via our form.