Table of Contents
DokuWiki Security Audit
It is planned to get a security code review / security audit for DokuWiki by SektionEins GmbH. This page intends to coordinate the needed community actions to organize the fundraising and other audit related processes.
See the following mailing list threads if you need more background information:
How much money is needed? How to get it?
What happens if we can't raise enough money?
Let's wait and see (why solve problems before they even exist?). However, there are several options:
- Start a second fundraising round.
- SektionEins said that a discount would be possible if we really book fifteen audit days.
- We can discuss if there are services we can disclaim to get “as much audit as possible for the budget we can organize”. SektionsEins told us that many Open Source projects don't buy a full security audit but setting a budget of e.g. 10.000 EUR plus trying to get as much audit as possible by dropping all services excluding the pure code audit (like the final audit report).
I have a great Idea / I want to help / I know how to get some money!
- Determine how to handle billing and money escrow
- who's account will receive the crowd funding money?
- could we send the money directly from the crowd funding site to Sektion1?
- who will write invoices?
- do we have someone with a company (who we trust) who would receive the money, write invoices to the donors and order the audit from Sektion1? Maybe for a minimal fee?
- how to handle taxes?
- is this even tax relevant?
- Which crowdfunding site to use?
- most popular platform
- needs a US-citizen for starting a campaign
- seems to be the most popular alternative
- has flexible funding campaigns (keep the collected money if goal isn't reached)
- What do we need for the Crowdfunding site?
- “Perks” eg:
- backer's name is listed on dokuwiki.org/security_audit
- backer's name, link and company logo is mentioned in the newsletter
- an invoice
- early access to the audit results
- Maybe an explanatory video
- I could do that so we have “A message from the founder” — Andreas Gohr 2012/03/30 08:21
- A good description of why we are doing this and what companies gain by backing the campaign
- How to reach companies?
- forum post
- Trying to establish personal contact to companies we know to use DokuWiki
- maybe contacting DokuWiki consultants to outreach to their customers?
- How to act on the results?
- immedeate release?
- releasing a hotfix release before releasing the results?