At Hyperledger, we are committed to a trust-but-verify security philosophy for our open source projects. We trust the engineering, change management, and risk reduction processes we use in our software supply chain to greatly reduce the risk of security flaws in the finished product. But to verify that is the case, we are organizing outside, independent security audits of the projects as they reach their 1.0 milestone. This page contains the results as the audits are completed and the reports are published.
Re-auditing Policy
After our projects reach 1.0 status, the policy for when we do another outside audit of a project is based on a few factors. The primary factor is code "churn"–the amount of code that has changed since the last audit. The secondary factor is major architectural changes (e.g. changing cryptography library implementations). When enough code has changed and/or architectural rework has happened, Hyperledger will invest money into having a follow up audit done to once again establish a baseline for project security.