# Security Audit Preparation

## Scope for External Audit

### Priority 1: Critical Path
- Authentication (bcrypt, session management, CSRF, rate limiting)
- Cryptography (Ed25519 signing, ChaCha20-Poly1305 backup encryption, Argon2 KDF)
- Container isolation (Podman security, cap-drop, no-new-privileges)
- Network security (Tor integration, federation over hidden services)
- Input validation (RPC endpoints, path traversal prevention)

### Priority 2: Data Security
- Secrets management (identity keys, wallet credentials)
- Backup encryption (key derivation, storage format)
- DWN message integrity (peer sync, deduplication)
- Verifiable Credentials (W3C VC issuance, verification)

### Priority 3: Infrastructure
- Nginx configuration (headers, proxy settings, CSP)
- Systemd service hardening (watchdog, capabilities)
- UFW firewall rules (Podman subnet access)
- Log sanitization (no secrets in logs)

## Completed Internal Audits
- SEC-01: RPC endpoint input validation audit (100+ endpoints)
- SEC-02: Rate limiting on federation endpoints
- SEC-03: CSRF validation on all state-changing endpoints
- SEC-04: Container security profiles (cap-drop ALL, no-new-privileges)
- SEC-05: Log rotation configured
- SEC-06: Security headers verified (X-Frame-Options, CSP, etc.)

## Recommended Audit Firms
- Trail of Bits (Rust + cryptography expertise)
- NCC Group (infrastructure + application security)
- Cure53 (web application + browser security)
- Doyensec (Rust + WebSocket + API security)

## Budget Estimate
- Comprehensive audit (2-4 weeks): $50,000 - $150,000
- Focused crypto + auth audit (1-2 weeks): $25,000 - $60,000
- Penetration test only (1 week): $15,000 - $30,000