TREZOR core developers seek to build a community of TREZOR Code Reviewers, who will check and sign our firmware releases with their GPG keys confirming that the distributed binary was really built from the published source code and it does not contain any malicious or abusive code.
This week, in our developer’s mailing list, we’ve introduced the deterministic builds of TREZOR firmware using Docker. The mechanism allows to recreate an identical build environment for everyone and build the firmware from published sources on Github. The first firmware built using this method will be the incoming 1.2.0 release.
We are looking for bitcoin enthusiasts with understanding of embedded programming that will review our source code and verify that the firmware distributed and signed by SatoshiLabs is identical to their builds. Personal profiles of our reviewers will be published on our newly created page of SatoshiLabs website dedicated to TREZOR Code Review.
That’s why we are looking for those who are not money motivated, but rather see this as an opportunity to strengthen their professional reputation and to help general public with trusting the concept of hardware wallets, allowing it to return to the roots of Bitcoin – being the sole and confident owner of the coins. If you want to apply for this position, please contact us via email.
Although the code signing is a non-paid position, we prepared a Responsible Disclosure program for white hat hackers which offers bounties for finding TREZOR security issues. Bounties will be rewarded in case they are reported to us and vulnerability confirmed by our security team. Details are described in the Security page of our website.
Comments are closed.