Hi all, ~two weeks ago, I proposed[1] to get an offer for a professional DokuWiki Security Audit. Now I got some numbers by SektionEins[2] we can work with. Stefan Esser wrote that there are round about 120k lines of relevant code to review. He thinks that a **full** security audit by SektionEins would therefore need 12-15 days with a daily feerate of 1000 EUR (without VAT, "netto"), leading to costs of 12000-15000 EUR. This is less than I personally expected. However, it's still a lot of money. Mr. Esser said that a discount would be possible if we really book so many audit days. He also proposed to discuss if there are things we can disclaim (like the final audit report) to get "as much audit as possible for the budget we can organize". He told me that Open Source projects basically never buy a full security audit but setting a budget of e.g. 10000 EUR + trying to get as much audit as possible by dropping all services != pure code audit. Therefore: - Opinions? - Try to raise 15000 EUR for a **full** audit? Or Just e.g. 8000-10000 EUR and drop non-pure-code-audit services? Really think about it, because things like a final report may contain useful information for [future] developers. However, dropping it makes sense if we can't raise enough money. E.g. better an audit without report than no audit ;-) - What's next? Fundraising campaign? [1]<//www.freelists.org/post/dokuwiki/Idea-buy-a-security-audit-for-DokuWiki> [2]<http://www.sektioneins.de/en/index/index.html> -- Andreas <http://blog.andreas-haerter.com> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org