Security

Audits and code

Here is our audit stance, stated plainly. We would rather put our budget and attention into architecture you can verify than into a certificate.

Has Ownbit's code been audited?

  • Ownbit has not commissioned a separate commercial (paid) audit, and does not plan to.
  • The codebase has run maturely in production for years.
  • It has been through security review with several leading AI models.
  • The on-chain MultiSig contracts are public for anyone to review at github.com/bitbill/ownbit-multisig-contracts.

What we do not claim: ISO 27001, SOC 2, or third-party audits from firms such as CertiK, SlowMist or Trail of Bits; NDA client-commissioned audits; or reproducible builds. We prefer to be straight about what exists rather than imply a certificate we don't hold.

Why the client is closed-source

Keeping the client application closed is a deliberate design choice. Obscurity raises the cost of attacking it, and — crucially — your funds never depend on the client's secrecy. Security rests on open cryptographic standards and the public on-chain contracts, both of which you can verify independently, not on the client staying secret.

What is actually open and verifiable

  • The on-chain MultiSig contracts that govern funds — open source, and you can confirm the contract at your address matches them on a block explorer.
  • The QR signing encoding — published at bb_sign_encoding.txt so you can decode any signing QR to plaintext.
  • Standards conformance — import a standard seed and confirm Ownbit derives the same addresses (BIP32/39/44).
FAQ

Frequently asked questions

Has Ownbit had a security audit?

Not a paid commercial audit, and none is planned. Instead: years of mature production use, security review with several leading AI models, and public on-chain MultiSig contracts anyone can review.

Is Ownbit open source?

The on-chain MultiSig contracts are open source. The client application is intentionally closed — a design choice that raises attacker cost while your funds' safety rests on open standards and public contracts, not the client's secrecy.

Why not just get a CertiK or SlowMist audit?

We'd rather put budget and attention into an architecture you can verify yourself than into a paid certificate. We don't claim any third-party audit.

Last updated:

Download

Download Ownbit

Install the app, then set up a cold wallet or MultiSig for the workflow you need.