)
)
)
)
Hi NGRAVE community,
I would like to share my vision for open source. Our unwavering commitment is to ensure the highest level of security for our users. Security is not merely a feature of our device; it is the foundation upon which we build our entire ecosystem.
At NGRAVE, we strongly believe in the power of open source. We understand the benefits it brings in terms of transparency, collaboration, and community-driven security. However, we also acknowledge that open source alone is not sufficient to achieve maximum security. It is just one piece of the puzzle, and we must carefully consider various elements to create a truly safe solution.
To this end, we have designed a completely air-gapped device that relies on QR code communication. By eliminating USB, Bluetooth, WiFi, 4G, and NFC connectivity, we eliminate the vulnerabilities associated with remote attacks. This fortified design shields our users from potential hacking threats and eliminates any concerns regarding the misuse of communication channels.
)
We allow our users to verify the content of every QR code, assuring them that NGRAVE operates precisely as claimed, without any hidden activities or unauthorized data sharing. This stands in stark contrast to connected devices that are vulnerable to potential exploits through two-way communication channels.
Regardless of any future decisions made by our business, we want to emphasize that it will always be impossible for us to extract your private keys. This commitment is rooted in our dedication to preserving your trust and safeguarding your assets.
While open source is vital, it does have limitations. The principle of "many eyes checking our code" holds true only if there are enough users reporting potential issues. However, we recognize that zero-day vulnerabilities may remain undisclosed. To address this concern, we have adopted a gradual open-source approach, combining it with rigorous certifications and audits. We have meticulously designed our firmware, with non-secure firmware managing peripherals and secure firmware responsible for secure operations. Pursuing the highest security certification (EAL7) for our secure OS has been a priority. To give our users the security they deserve, we worked closely with ProvenRun to embed this EAL7-certified firmware. This certification ensures thorough testing and offers unparalleled protection.
Additionally, we have implemented a secure element within our hardware wallet to provide the highest level of protection for storing sensitive data, including private keys. Secure elements are widely regarded as the most secure chips available in the market due to their robust design and dedicated security features. However, it is important to note that the inner workings of secure elements are typically kept closed by the manufacturers. This closed nature helps maintain the integrity of the security measures implemented within the chip, preventing potential vulnerabilities from being exploited.
)
Our focus is to balance between open source and certified security measures while protecting our users. If a genuinely secure and open-source chip were to become available in the future, we would certainly be interested in integrating it into our hardware wallet. However, as of now, no open-source chip exists that can offer the same level of security guarantees as the certified secure elements we currently employ. Our foremost priority remains to provide our users with a hardware wallet that ensures the utmost protection for their valuable assets.
We are working to open-source our device, except for the secure element and the EAL7-certified secure OS, for the reasons stated above.
As the CTO of NGRAVE, my vision is to provide our community with a secure and trustworthy environment for managing your digital assets. We will continue to push the boundaries of innovation, rigorously testing and enhancing our security measures. Your trust in NGRAVE drives us forward, and we remain steadfast in our commitment to delivering the highest standards of security.
With sincere appreciation,
Xavier Hendrickx
Chief Technology Officer (CTO) at NGRAVE
)
)
)