> Professional auditing and security testing should be necessary for any piece of software from which it's possible to drain large sums of money, regardless of who's running the software or holding the money. In fact, I'd argue anything less constitutes an ethical breach on the part of the lead engineer(s).
Would you include web browsers, OSs, system libraries and such in that definition? All those can steal users money if compromised. If so, who do you suggest be responsible for that in an open source project?
Not in a vacuum; they have to be deployed in a setting where that's possible.
> Would you include web browsers, OSs, system libraries and such in that definition?
It's sort-of a moot point, because the major products in all of these areas are routinely analyzed from a security perspective. Apple and Microsoft both spend a lot of money on security, and security researchers spend lots of time and effort auditing linux.
> If so, who do you suggest be responsible for that in an open source project?
The organization deploying the software in a security-critical setting should follow best practices when selecting and maintaining components.
There's a significant difference between engineering failures that happen even when you've followed best practices, and very preventable engineering failures that happen only because you've not followed best practices. Just because perfect security isn't possible doesn't mean we should give up entirely and not even both sanitizing input, for instance.
Additionally, OS vendors should not encourage users to use their software in security-critical settings unless the vendor is following best practices w.r.t. security. This is where I could see some bitcoin projects getting into trouble.
One problem with the current system that the article did not mention is that having a central party handle all the global financial transfers creates a big handle for nation states to put leverage on.
We saw this very clearly when the US government put pressure on VISA and mastercard to reject donations going to WikiLeaks. I remember watching that whole episode in disgust. With bitcoin, this is pretty much impossible.
Would you include web browsers, OSs, system libraries and such in that definition? All those can steal users money if compromised. If so, who do you suggest be responsible for that in an open source project?