How the process works?
- We learn high-level details about your project and stack (programming languages, framework/CMS, OS)
- Then we figure out your goal and scope: compliance, quarterly audit, pre-launch pentest, design review etc
- Meanwhile you can prepare and sign contract, NDA and other documents if you need them
- We thorougly inspect your codebase for issues and instantly contact you if there's anything severe.
What is the result and deliverabilities?
Every audit ends with a security report (PDF, DOC or markdown) that explains every issue and vulnerability found, including remediation steps and design recommendations. To get an idea how a pentest report looks like check out 8 hours long Peatio Bitcoin exchange audit
Do I need to share source code?
Rule of a thumb is that whitebox source code review is always better. It gives much more insight into your design and internal infrastructure. However, if you cannot share sources, blackbox pentest is an option too.
We don't accept new clients anymore so look elsewhere, some of the best companies in space are: IncludeSecurity, Cure53, Paragon and it's always a good idea to have bug bounty with HackerOne, Cobalt or Bug Crowd. And check the blog: it's not so hard to pen-test yourself on your own once you get the right mindset! If you just need a short advice shoot up to firstname.lastname@example.org.