Audits and code
Here is our audit stance, stated plainly. We would rather put our budget and attention into architecture you can verify than into a certificate.
Has Ownbit's code been audited?
- Ownbit has not commissioned a separate commercial (paid) audit, and does not plan to.
- The codebase has run maturely in production for years.
- It has been through security review with several leading AI models.
- The on-chain MultiSig contracts are public for anyone to review at github.com/bitbill/ownbit-multisig-contracts.
What we do not claim: ISO 27001, SOC 2, or third-party audits from firms such as CertiK, SlowMist or Trail of Bits; NDA client-commissioned audits; or reproducible builds. We prefer to be straight about what exists rather than imply a certificate we don't hold.
Why the client is closed-source
Keeping the client application closed is a deliberate design choice. Obscurity raises the cost of attacking it, and — crucially — your funds never depend on the client's secrecy. Security rests on open cryptographic standards and the public on-chain contracts, both of which you can verify independently, not on the client staying secret.
What is actually open and verifiable
- The on-chain MultiSig contracts that govern funds — open source, and you can confirm the contract at your address matches them on a block explorer.
- The QR signing encoding — published at bb_sign_encoding.txt so you can decode any signing QR to plaintext.
- Standards conformance — import a standard seed and confirm Ownbit derives the same addresses (BIP32/39/44).
Frequently asked questions
Has Ownbit had a security audit?
Not a paid commercial audit, and none is planned. Instead: years of mature production use, security review with several leading AI models, and public on-chain MultiSig contracts anyone can review.
Is Ownbit open source?
The on-chain MultiSig contracts are open source. The client application is intentionally closed — a design choice that raises attacker cost while your funds' safety rests on open standards and public contracts, not the client's secrecy.
Why not just get a CertiK or SlowMist audit?
We'd rather put budget and attention into an architecture you can verify yourself than into a paid certificate. We don't claim any third-party audit.
Last updated:
Download Ownbit
Install the app, then set up a cold wallet or MultiSig for the workflow you need.