This project has moved and is read-only. For the latest updates, please go here.

VeraCrypt To Benefit From Open Source Bug Bounty Program

Topics: Users Discussion
Dec 29, 2016 at 10:28 PM

The overflow funds are being reserved for the bug bounty program that will begin after the OpenSSL audit finishes in mid 2017. This will be a program where researchers can submit new security bugs to the developers of the projects that have already been audited by OSTIF for up to $5000 in rewards. When this program begins, it will cover VeraCrypt, OpenVPN, and OpenSSL and OSTIF will need a $50,000 pool to set aside for award payouts that will need to be periodically replenished by donations overages from other projects. The bug-bounty program is the crucial next-step in improving our supported apps. It draws in the attention of reverse-engineers, white hats, and academics to do additional research into the functionality of the apps and find irregularities that can lead to security vulnerabilities. After a professional audit, bringing the eyes of the crypto world to the project is what will keep these apps as strong as they can possibly be.
Dec 29, 2016 at 10:32 PM
Edited Dec 29, 2016 at 10:34 PM

VeraCrypt is an open-source fork of the fabled TrueCrypt software. VeraCrypt is software designed to securely encrypt files and entire file systems. VeraCrypt contains updates to TrueCrypt 7.1a that fix some of the issues revealed in the TrueCrypt audit.

OSTIF Goals for VeraCrypt:
Primary goals:

-Establish a bug bounty to encourage close scrutiny by the worldwide security community.
–A follow-up security audit focusing on all changes to the software after the 7.1a audit. This would take place after feature adds and fixes. This was completed and the results released in October 2016.
-Create a grant system to fund the research and development for VeraCrypt in the following areas.

Research – UEFI support. VeraCrypt cannot encrypt entire file systems on devices that have a UEFI-based BIOS. This will require a full rewrite of the boot loader and subsequent audit of the code. VeraCrypt completed this independently in 2016. Although more research is needed in this area.
Research – Non-Western cipher support. In order to gain trust from the entire world, VeraCrypt must implement encryption that is developed all over the world. This builds assurances that ciphers that may meet compromised standards are less likely to fall through the cracks. VeraCrypt completed this independently in 2016.

Stretch goals:

-Research and implement fixes for the minor theoretical vulnerabilities in VeraCrypt that remain unpatched.
-Research and implement UI improvements to make VeraCrypt more accessible.
Dec 29, 2016 at 10:51 PM

The QuarksLab audit of VeraCrypt has been completed, and this is the public release of the results.
The quick and dirty:
VeraCrypt 1.18 and its bootloaders were evaluated. This release included a number of new features including non-western developed encryption options, a boot loader that supports UEFI (modern BIOSes), and more.

QuarksLab found:
8 Critical Vulnerabilities
3 Medium Vulnerabilities
15 Low or Informational Vulnerabilities / Concerns

This public disclosure of these vulnerabilities coincides with the release of VeraCrypt 1.19 which fixes the vast majority of these high priority concerns. Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt.

The Fixes:
Because of this audit, VeraCrypt has issued a number of fixes to both the application and the bootloader in 1.19.

The fixes include:
Removal of the GOST 28147-89 encryption option entirely. The implementation was unsafe. Functionality for decryption of volumes that used this cipher is still in place, but new volumes cannot be created using this cipher.
Removal of XZip and XUnzip. These were replaced with modern and more secure zip libraries (libzip).
Fixes implemented for the vulnerability described in section 5.1 (password length can be determined in classic bootloader).
Fixes implemented for the vulnerability described in section 7.1 for the new bootloader. (keystrokes not erased after authentication)
Fixes implemented for the vulnerability described in section 7.2 for the new bootloader. (sensitive data not correctly erased)
Fixes implemented for the vulnerability described in section 7.3 for the new bootloader. (memory corruption)
Fixes implemented for the vulnerability described in section 7.4 for the new bootloader. (null pointer, dead code, inconsistent data reads by ConfigRead, bad pointer in EFIGetHandles, null pointer dereference in the graphic library.)
Updates to user documentation for other vulnerabilities that can be closed by user practices.

VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software.