An average audit takes about 2-6 weeks. However, the timeline depends on many factors, including your schedule requirements, the scope of the project and the availability of our engineers who are best suited for each audit. After an initial call, and once we have the information we need, we will send you a proposal within a week. The proposal will have scope details, areas of concern, and a potential schedule, along with the cost of the audit.

Most likely, yes. Take a look at our security audit reports or contact us.

Yes! The final report is for you to share (or not share) however you wish. With your permission, we may also publish it on our website.

The choice to publish the final report to a public audience is entirely up to you. Least Authority only speaks publicly about the projects that we have permission to do so. Some clients see the audit as a good opportunity to inform public stakeholders about their efforts to improve the security of their projects and we encourage this. However, we respect the choice that oOther clients may prefer that their security audit process be kept entirely confidential.

In some cases, we may continue to collaborate with you to share knowledge with the larger community. This could be a blog post, a coordinated release, or other forms of informing stakeholders, like our panel discussion about the ProgPoW audit at DevCon5.

No, this is not a simple calculation since the scope of our audits and needs of our clients vary greatly. However, with a few important pieces of information we can usually get a proposal, including cost, to you within a week. We do our projects based on a fixed fee and invoice our clients on project deliverables, rather than offeringuse estimates and invoicinge for time spent. 

Since the initial report brings attention to the vulnerabilities in the code, we recommend that clients resolve the issues as soon as possible to quickly bring confidence to their stakeholders, especially any users of the system. Significant changes to the codebase usually happen over time, so delays could render the audit results obsolete.

We have found, however, that nearly all of our clients manage to address the issues found (that they intend to fix) within 90 days of the delivery of the initial audit report. So, we set the maximum time we wait for responses to the initial report to 90 days, as explained further in the questions below.

In the event that you do not resolve critical security/privacy vulnerabilities in software prior to the release of the final audit report, Least Authority will note that the issues and suggestions remain unresolved.