On Wed, 17 Aug 2016, David Drysdale via c-ares wrote:
Couple of updates below...
Lovely!
I've also updated a few things and now there are only three critierias left:
- Analysis: It is SUGGESTED that the software include many run-time assertions
that are checked during dynamic analysis
That's a very vague statement, but we have 7 assert()s. That is probably not
"many".
- Reporting: The project MUST publish the process for reporting
vulnerabilities on the project site
- Reporting: If private vulnerability reports are supported, the project MUST
include how to send the information in a way that is kept private.
We should basically just setup a mechanism and document it, and we can check
these two as well.
--
/ daniel.haxx.se