[dokuwiki] DokuWiki Security Audit
- From: Andreas Haerter <list+dokuwiki@xxxxxxxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Thu, 22 Mar 2012 10:03:04 +0100
Hi all,
~two weeks ago, I proposed[1] to get an offer for a professional
DokuWiki Security Audit. Now I got some numbers by SektionEins[2] we can
work with.
Stefan Esser wrote that there are round about 120k lines of relevant
code to review. He thinks that a **full** security audit by SektionEins
would therefore need 12-15 days with a daily feerate of 1000 EUR
(without VAT, "netto"), leading to costs of 12000-15000 EUR.
This is less than I personally expected. However, it's still a lot of
money. Mr. Esser said that a discount would be possible if we really
book so many audit days. He also proposed to discuss if there are things
we can disclaim (like the final audit report) to get "as much audit as
possible for the budget we can organize". He told me that Open Source
projects basically never buy a full security audit but setting a budget
of e.g. 10000 EUR + trying to get as much audit as possible by dropping
all services != pure code audit.
Therefore:
- Opinions?
- Try to raise 15000 EUR for a **full** audit? Or Just e.g. 8000-10000
EUR and drop non-pure-code-audit services? Really think about it,
because things like a final report may contain useful information for
[future] developers. However, dropping it makes sense if we can't raise
enough money. E.g. better an audit without report than no audit ;-)
- What's next? Fundraising campaign?
[1]<//www.freelists.org/post/dokuwiki/Idea-buy-a-security-audit-for-DokuWiki>
[2]<http://www.sektioneins.de/en/index/index.html>
--
Andreas <http://blog.andreas-haerter.com>
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Other related posts:
