Get a security audit
We want to get a external security done. We need a couple things first.
- Finish security critical code paths with autofill and any interaction with external data (user entered, domains, etc).
- Save up money! Probably from consulting, maybe from paid accounts/donations.
This is probably something to do in late 2018 or early 2019.
Other ideas and mitigating factors
- Hiding some cryptocurrency in a public passit database would be a cheap way to get some interest and penetration testing.
- We use whatever libsodium defaults too - reducing our chances of introducing bad security
- We don't allow <all_hosts> permission in our extension - this should limit the hidden auth forms type of attack
- Paid accounts or donations might be a way to fundraise
Who
If you work at a security company and are interested in improving security for Passit please reach out.