DokuWiki

It's better when it's simple

User Tools

Site Tools


devel:security_audit

DokuWiki Security Audit

It is planned to get a security code review / security audit for DokuWiki by SektionEins GmbH. This page intends to coordinate the needed community actions to organize the fundraising and other audit related processes.

FAQ

What? Why?

See the following mailing list threads if you need more background information:

How much money is needed? How to get it?

The estimated budget is 15 000 EUR.1) There will be fundraising campaign to organize the money.

What happens if we can't raise enough money?

Let's wait and see (why solve problems before they even exist?). However, there are several options:

  • Start a second fundraising round.
  • SektionEins said that a discount would be possible if we really book fifteen audit days.
  • We can discuss if there are services we can disclaim to get “as much audit as possible for the budget we can organize”. SektionsEins told us that many Open Source projects don't buy a full security audit but setting a budget of e.g. 10.000 EUR plus trying to get as much audit as possible by dropping all services excluding the pure code audit (like the final audit report).

I have a great Idea / I want to help / I know how to get some money!

Fundraising

Established Planning

  • FIXME

ToDo

  • Determine how to handle billing and money escrow
    • who's account will receive the crowd funding money?
      • could we send the money directly from the crowd funding site to Sektion1?
    • who will write invoices?
      • do we have someone with a company (who we trust) who would receive the money, write invoices to the donors and order the audit from Sektion1? Maybe for a minimal fee?
    • how to handle taxes?
      • is this even tax relevant?
  • Which crowdfunding site to use?
  • What do we need for the Crowdfunding site?
    • “Perks” eg:
      • backer's name is listed on dokuwiki.org/security_audit
      • backer's name, link and company logo is mentioned in the newsletter
      • an invoice
      • early access to the audit results
    • Maybe an explanatory video
      • I could do that so we have “A message from the founder” — Andreas Gohr 2012/03/30 08:21
    • A good description of why we are doing this and what companies gain by backing the campaign
  • How to reach companies?
    • forum post
    • newsletter
    • Trying to establish personal contact to companies we know to use DokuWiki
    • maybe contacting DokuWiki consultants to outreach to their customers?
  • How to act on the results?
    • immedeate release?
    • releasing a hotfix release before releasing the results?
1)
15 audit days with a daily feerate of 1000 EUR (excluding VAT, “netto”)
devel/security_audit.txt · Last modified: 2012-12-28 19:19 by ach

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki