People who want to know about vulnerability, security or license report from third party would be disappointed.
People who want to know about vulnerability, security or license report from third party should be able to click on the badge to see current and historical reports.
Server address:
Server OS:
Webserver:
Browser:
PrivateBin version:
I can reproduce this issue on https://privatebin.net: Yes / No
Willing to be the first donor.
We did have one, but it's from a very long time ago and we think we have addressed most of the issues, except the fundamental problem of the user having to trust the JS not getting manipulated. Hence the urge to run PrivateBin on HTTPS and the move to webcrypto API. As an aside, we did try to do a threat model as well, the conclusion are at the end.
Getting such an audit would be a realistic sponsoring goal. I had discussions with @rugk about sponsoring a while back and our concern at the time was that as soon as money is involved you need to have some organization to manage it (i.e. an association or foundation) a physical location this is at (at least have to pick a country) and someone needs to manage the money, even if it's just a few thousand USD, EUR or similar.
I personally would not necessarily be willing to handle this, as I myself have quite high transparency standards as soon as money is involved. Hence I rather pay for the hosting and domains of the project myself then having to deal with accounting.
Input would in any case be very welcome on this matter. I purely write the above as documentation of why this hasn't happened so far, but I am very open on suggestions on:
We can start from free tools such like this one:
https://bolt.whitesourcesoftware.com/github
and this one:
the integration doesn't seemed too complex to setup.
Regarding the other questions, I would like to suggest following:
Descope the sponsoring part as lacking man power and knowledge, focus on setup scanning and auditing as part of CI/CD.
That is something we already do:
See also: BADGES.md
We had them for a while now. Personally I like some of the Scrutnizer warnings reg. potential risks that we may introduce as well as what parts of the code objectively have "smells". StyleCI (not listed above, as I don't think they offer a dashboard) is handy to catch those pesky white space formatting mistakes I occasionally make.
Edit: Github now has some built in stuff as well, not sure if this is visible beyond maintainers, though:
Edit 2: Reg. licenses - at the moment the LICENSE.md is manually curated, which is still easy, as we don't depend on tons of things and it rarely changes.
I totally disagree with the original issue/"bug" description. We don't really need any "shiny badge". There is nothing that can prove this is vulnerability-free anyway, so this would give a wrong impression.
Let's not get into the same way as online shops put many useless "seals" on their website...
Any automatic security scan or so, however, could indeed be useful. But as pointed out by @elrido we already have not that few...
Most helpful comment
That is something we already do:
See also: BADGES.md
We had them for a while now. Personally I like some of the Scrutnizer warnings reg. potential risks that we may introduce as well as what parts of the code objectively have "smells". StyleCI (not listed above, as I don't think they offer a dashboard) is handy to catch those pesky white space formatting mistakes I occasionally make.
Edit: Github now has some built in stuff as well, not sure if this is visible beyond maintainers, though:
Edit 2: Reg. licenses - at the moment the LICENSE.md is manually curated, which is still easy, as we don't depend on tons of things and it rarely changes.