We take security serious here at Psono and try to do everything that we can to product our user's passwords. We were extremely excited when Linkspirit reached out to us to offer us their services to audit Psono free of charge, especially as no third party ever audited Psono before.
Linkspirit is an Italian company with more than a decade of experience in IT security, and they managed to raise to the top for IT security services in Italy. Their portfolio covers a wide range like
Their expertise and competence is undisputed, and as such they were well suited to audit Psono.
The process was straight forward. Linkspirit provided SSH access to a Linux server and we deployed Psono according to the publicly available documentation. In particular, the client, server and the admin portal were deployed in docker containers. A nginx webserver was used as reverse proxy configured according to the regular installation guide to handle SSL. The certificate was provided by letsencrypt.
Linksprit audited Psono and was especially looking for possible injection points, authentication and authorization policy violations, incorrect checks and took a deeper look at all the security headers. In an interest to provide full disclosure, you will find the full results of the audit here.
We feel quite relieved and are happy to report that no major issues were identified and only a view minor, "hardly exploitable vulnerabilities".
"We congratulate you on your well-structured and well-written code, this is the first time we have come across such a small number of such low-impact vulnerabilities."
We cannot thank Linkspirit enough for their service! Their hard work helps us sleep better at night!