About Ginger Security
GM! We Are Ginger Security. We are a security audit firm with a collective of 30+ years of experience in cybersecurity (both web2 and web3). With us, you can be sure that:
- We are experienced - we have real-world blackhat experience (feel free to ask us about it!) 🕵️
- We are hardcore - we love to solve hard problems! We have experience with a number of niche/proprietary blockchains and we feel comfortable diving into the unknown. 🧐
- We abide by our pay-per-vulnerability policy - beyond a base fee you only pay if we actually find vulns! This way you know that we are committed to doing our best to actually secure your dApp. 💰
- We have skin in the game - 50% of our revenue will go towards your project’s vault on hats.finance 🎩
Output
Prior to sending you the final output, we will notify your dev team of all issues found so that you may patch the code and send it to us for further review.
The final output includes:
- A PDF report summarizing:
- Executive summary (summary of project and issues found)
- Methodologies used
- Vulnerabilities and issues, and their severity categorization
- Exploitation proof-of-concept (if applicable)
- Mitigation steps
- A “Security Demystified” video which includes two sections:
- Interview - we interview the founders (you) with semi-technical questions about how and why you chose the design of your app from a security perspective, and what your security philosophy is
- Questions available ahead of time
- Hands-on audit walkthrough - video in which the lead auditor on this project shows why we believe the app is secure (after an audit). This includes using tools like formal verification & deduction, and/or custom tools that we developed for your app during the audit
<aside>
💡 Feel free to reach out to us for examples of either output.
</aside>
Pricing
The pricing works as follows:
- You pay a base fee of for one of our security researchers to familiarize themselves with the code as if they were a part of the dev team
- The number of hours and the price per hour required for familiarization and the audit itself (including creating the PDF and video outputs) will be agreed upon by both sides before starting the audit
- For larger code bases this rate could be reduced, please discuss with us privately
- Beyond that, you only pay for issues found, according to the following pricing model
- High severity issues - $1,200 per issue found
- Medium severity issues - $600 per issue found
- Low severity issues - $300 per issue found
Issue severity categorization
We assess the severity of disclosed vulnerabilities and issues according to the Cod4rena severity categorization system.
“Skin in the game” - your hats.finance vault
In order to give you and your users even more peace-of-mind, we stake 50% of your audit expenses into your project’s hats.finance vault on our own behalf for a whole year after the report is released. Essentially what this means is that, if a vulnerability is found in your project that we didn’t detect, up to 50% of our profits may be slashed.