|
|
|
# Security Overview
|
|
|
|
|
|
|
|
This document is a very high overview related to the security of Hush, with links to other resources.
|
|
|
|
|
|
|
|
## SECURITY AUDIT
|
|
|
|
|
|
|
|
Hush itself has not had a 3rd party code audit, but our upstream fork, Zcash, has. More details on that here:
|
|
|
|
|
|
|
|
https://z.cash/blog/audit-results.html
|
|
|
|
|
|
|
|
# KNOWN SECURITY ISSUES
|
|
|
|
|
|
|
|
Each release contains a `./doc/security-warnings.md` document describing security
|
|
|
|
issues known to affect that release. You can find the most recent version of
|
|
|
|
this document [here](https://github.com/MyHush/hush/blob/master/doc/security-warnings.md)
|
|
|
|
|
|
|
|
Note that this link points to the "in development" version of the file, so it
|
|
|
|
may have more recent findings than the version released with your software. (It
|
|
|
|
might also have issues that are only relevant for the upcoming release which
|
|
|
|
don't affect the current release or older software.)
|
|
|
|
|
|
|
|
# What if myhush.org get hacked?
|
|
|
|
|
|
|
|
In the event the Hush website is down or hacked, please also check these
|
|
|
|
twitter handles: @dukeleto and @MyHushTeam. The Hush protocol has an
|
|
|
|
alert system and currently a small set of people control the keys to issue
|
|
|
|
alerts. These will be sent to all nodes, if necessary in an emergency situation.
|
|
|
|
|
|
|
|
Additionally, you can contact Duke Leto via GPG keys from [Keybase](https://keybase.io/dukeleto), corresponding to
|
|
|
|
|
|
|
|
F16219F4C23F91112E9C734A8DFCBF8E5A4D8019
|
|
|
|
https://keybase.io/dukeleto/pgp_keys.asc
|
|
|
|
|
|
|
|
# What if all the Hush core devs turn evil?
|
|
|
|
|
|
|
|
If we are sufficiently hacked, or if we collectively turn evil, the above
|
|
|
|
resources will not be sufficient to protect you. Luckily, the Hush network is
|
|
|
|
growing into a larger and more resilient decentralized community everyday.
|