DateEvent nameDescriptionReferences
2023.03.02Project startClient accepted pro bono audit
2023.03.22Kickoff CallKickoff call to discuss the scope
2023.03.29Shared ChatJoined the shared Slack channel
2023.03.30Internal PlanningTimeline and allocation planned
2023.04.04Audit StartStart of the auditing work
2023.04.06Audit ConcludedCompletion of the audting
2023.04.15First Report DraftDraft of first report containing all findings
2023.04.19Engineering Feedback CallFeedback call with the engineers to discuss all findings
2023.05.15Report Draft ChangesChanges to report structure
2023.06.01Added New FindingAdditional github workflow finding added
2023.07.15Final Report DraftFinal draft of the report to undergo broader internal review
2023.09.12Report CompletionCompletion of the full report including findings and management sections
2023.09.18Presentation to Project ManagementPresentation of the audit report to the project management of Bloop.ai
2023.09.21Fix verificationFixes were verified for the vulnerabilities with direct impact
2023.09.261.0Version 1.0 was built and published


DateFinding EventReferences
2023.04.04Discovered New FindingImproper Tauri Security Configuration
2023.04.04Discovered New FindingVulnerable Cargo crates
2023.04.04Discovered New FindingImproper Allowlist Configuration
2023.04.04Discovered New FindingVulnerable NPM Dependencies
2023.04.05Discovered New FindingProper Github Workflow Security
2023.04.05Discovered New FindingImproper Sanitization of Tauri Command Arguments
2023.04.05Discovered New FindingDependencies Telemetry Data is not Disabled
2023.04.10Discovered New FindingMultiple Cross Site Scripting Vulnerabilities
2023.06.01Discovered New FindingImproper Github Workflow Trigger Validation
2023.09.21Finding Status Changed to FixedImproper Github Workflow Trigger Validation
2023.09.21Finding Status Changed to FixedImproper Sanitization of Tauri Command Arguments
2023.09.21Finding Status Changed to FixedMultiple Cross Site Scripting Vulnerabilities
2023.09.21Finding Status Changed to FixedDependencies Telemetry Data is not Disabled
2023.09.21Finding Status Changed to FixedVulnerable NPM Dependencies