Probably the hottest business idea of the moment in BTC...

Wednesday, 12 December, Year 4 d.Tr. | Author: Mircea Popescu

... is a code review and insurance service.

What you need :

  • one (or more) well known and respected programmer(s)i, either hired, partners, external consultants, whatever worksii;
  • working capital;
  • some basic project management, accounting and finance skill.

What you offer. You'll start with two basic products :

    Code review.

    • For open source code, you read the code, line by line, verify that it is in fact safe to run. You then issue a PGP-signed certificate which pretty much says "I the X of Y have reviewed the below code and judged it safe in accordance with Z".
    • For closed source code, you also read the code line by line, you also verify that it is in fact safe to run. You then compile it for whatever platforms the user wants, issue the binaries as PGP-signed documents just as above.

    Code insurance.

    • You offer a promise (in the form of a PGP-signed contract, obviously) to repay customers that lost BTC or other valuables through flaws in the codebase of the respective service. Like all insurance this will sport a maximum cap and possibly a minimum so you don't end up processing a lot of < 1 BTC claims. Unlike all insurance this will sport reasonable conditions - a good contract/promise will have to be drawn up for the purpose.

    Obviously you'll be able to branch and diversify from there once established. Unit testing readily comes to mind for instance (and it would be a great addition because it would allow you to test your junior partners for instance). Full process insurance will probably be the end goal, likely started with hosting practices review and insurance (allowing mitigation of future bitomat.pl-typeiii and linode-typeiv disasters).

How you make money :

  • Code review can easily run in the hundreds of BTC. The best way to go is probably fixed fee + per line fee or something.
  • If the code is not open source, extra fees for compiling can be levied on a per platform basis.
  • Insurance would obviously be a monthly payment (yearly is probably too much of a lump sum for most developers, weekly will quickly become a pain to track). Obviously you won't insure code you haven't reviewed.

Such a business would indubitably be very useful for BTC, because :

  • It allows developers to distinguish themselves.
  • It rewards good coding practices, and pushes towards standardisation and quality through rational means. In particular audited/insured libraries will finally make library use safe in a BTC environment.
  • It allows downstream customers' trust to be built meaningfully rather than haphazardly, it allows this trust to be quantified and it allows downstream customers to correctly account for their IT exposure.

MPEx currently takes in something between a few hundred and a few thousand BTC a month and the open market values it close to 600k BTC. This could also take in a few hundred to a few thousand BTC a month, if well run by credible people, which possibly means half a million worth of BTC equity you're working for.

And yes, I would be amenable to help. I would not consider running this project, but I will consider a finance or legal position on the board. Start-up capital via MPEx may also be available, very much depending on the strength of the team and the terms of the incorporation agreement.

Good luck.

———
  1. Which does not mean Amir Taaki and the like! []
  2. Probably stock options are unavoidable for the more senior ones, and nothing you'd want to avoid anyway. []
  3. Wrong use of hosting resources. []
  4. Rogue host. []
Category: Bitcoin
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

10 Responses

  1. Well the first thing that comes to mind is why hasn't this been done already with existing software ....
    Can I get MS insurance? or even open source stuff like Linux? well its not targeted specifically at 'money' handling and not sure how one figures out the worth of a Word doc and if the fault was HW or SW or maybe 'act of god' as in power failures ..

  2. Mircea Popescu`s avatar
    2
    Mircea Popescu 
    Wednesday, 12 December 2012

    The reason I think has to do with the appaling quality of code being pushed out. For instance the recent Java disaster would have likely cost a trillion in claims and been the end of Oracle (which'd have been a great thing, which is why it hasn't happened).

  3. The cost of finding and fixing any possible holes in existing codebase can be higher that redoing the project from scratch with the right mindset and precise requirements. This is why such standalone code review+insurance service does not exist yet, except for penetration testing, which is practical in cases where clear border exists between "in" and "out".

    I'm curious, you yourself are actually interested in providing some backing to the developers who would provide such insurance (something like reinsurance irl)?

    This isn't to say whole thing integrating also hosting assessment wouldn't work. But then one would have to deal with much bigger upfront time/investment for new projects, which can make such startups uncompetitive. It's that "never bet against the cheap plastic solution" rush our whole civilization got itself into. Well, maybe bitcoin is really going to change that, as it's anything but plastic, we will see.

  4. Mircea Popescu`s avatar
    4
    Mircea Popescu 
    Wednesday, 12 December 2012

    The cost of finding and fixing any possible holes in existing codebase can be higher that redoing the project from scratch with the right mindset and precise requirements.

    This is quite true in some cases (famously the bitdaytrade thing for a convenient example) in which case the corp would just tell the customer "this is too broken to fix, we're not certifying it". End of story. I don't view it as a very serious problem.

    I’m curious, you yourself are actually interested in providing some backing to the developers who would provide such insurance (something like reinsurance irl)?

    Quite possibly, once it's established at least. Of course I think originally the best way to ensure working capital is through share issuance.

    This isn’t to say whole thing integrating also hosting assessment wouldn’t work. But then one would have to deal with much bigger upfront time/investment for new projects

    Absolutely, I think that's more of an endgame scenario, by the time it actually does that it's ready to be bought out by Oracle or whoever for 100mn+. I just added it in there so there's some clear view of the furthest hill, nothing more.

    Well, maybe bitcoin is really going to change that, as it’s anything but plastic, we will see.

    I think so. And in any event, there's a solid market for properly fitted and tailored handmade clothing, at least for businessmen.

  5. If the given code base for some software is small enough (around 10,000 LOC), why not go directly for formal validation? That would probably make way for something like ISO27001/9001 certifications for Bitcoin services.

    I'm not an expert in any of the two areas (formal verification/validation nor Bitcoin), but to answer the first comment, Linux isn't safe (in fact it's friggin' unsafe) exactly because of these reasons: huge code base, no isolation in the kernel space, some undocumented code in device drivers. Basically no one can guarantee it isn't gonna be cracked, and if this is the case then some part of it is going to be cracked sooner or later (not to mention those that have already been).

    However Bitcoin itself seems to be designed on some strong principles, so software making use of it could probably be verified without too much hassle.

  6. Mircea Popescu`s avatar
    6
    Mircea Popescu 
    Wednesday, 12 December 2012

    That's a good point, if the codebase is small formal validation would probably be the way to go.

    The problems (at least in experience) seem rarely to be either Bitcoin or Linux per se. The edges where things mesh often are shockingly poorly implemented. The best example of a large scale such issue is probably the race condition in Bitcoinica codebase, which was found and documented by an outside user who didn't even have access to the code at all.

    One major point which the original article neglects to mention is that this proposed business would be an excellent point of crystallization for true IT competence, drawing some actually qualified people in.

  7. i'll buy such a service if it would not cost an arm and leg

  8. Mircea Popescu`s avatar
    8
    Mircea Popescu 
    Friday, 14 December 2012

    It's cheaper in BTC!

    Firstborn only.

  9. That sounds really smart but I’m wondering how feasible it is.

    First of all, can you review something if you don’t have a broad view perspective? In many cases, you can’t only review a few lines of code as it’s all interconnected.

    Please disregard my first post, I used a wrong URL. :)

  10. Mircea Popescu`s avatar
    10
    Mircea Popescu 
    Friday, 14 December 2012

    There's no assumptions made at this level as to what exactly the review standards will be. Ideally something sensible, obviously.

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.