FYI, we have implemented some simple spam countering mechanisms on the best practices badge application. Most trivially, whenever someone tries to create a project badge entry, they now see this: We'v

Kevin Wall: For the *badging* application this shouldn't be a big problem. I believe the criteria always talk about "exploitable" vulnerabilities of certain kinds as being unacceptable, not just vulne

Kevin W. Wall: No, absolutely not. I just logged in with a local account & it worked fine. That's mysterious. I just tried the "forget password" with a local account, and it worked fine. That shouldn'

Some of you may have noticed that the “Total Projects” went down last month (2855 to 2852), but the number of projects at 25%+ went up (1089 to 1114). The explanation is that we’ve been working to del

Mark Rader: I don't think that will be enough of a deterrent. The spammers are already willing to do an email confirmation. One possibility would be to *require* a repo URL, and then require that it r

Mark Rader: Good idea, but for local accounts we already do that, and I believe GitHub also requires email validation for their accounts. So we're going to have to go beyond that. --- David A. Wheeler

Sadly, spammers have started to add nonsense "projects" to the CII Best Practices site at a higher rate than before. It appears to be all SEO-related fraud. I suppose that was inevitable, and I guess

Here's a pull request that tries to resolve the CVSS issues: https://github.com/coreinfrastructure/best-practices-badge/pull/1367 It's more text than I'd like, but my goal was to be 100% clear. For ex

Kevin Wall: Good point. I think that shouldn't be required, & it wasn't intended. I think we can solve that. But first, I think I'm required to note that anyone can calculate a CVSS score. NVD has a l

A very few of our criteria mention CVSS (a method for estimating the risk from a vulnerability). For example, [dynamic_analysis_fixed] says this: CRITERION: "All medium and high severity exploitable v

FYI: We continue the work keep the CII Best Practices badge site working smoothly. In particular, we've done a number of updates to keep things going over the last several months. You generally should

The Court of Justice of the European Union (ECJ) has ruled that online websites that embed a Facebook "Like" button are responsible for the data they send to Facebook and are liable for the same penal

All, FYI. One component we use (omniauth) has a publicly-known vulnerability (CVE-2015-9284) that is still not fixed. To deal with this, we’ve taken unusual steps to eliminate the vulnerability’s effe

If you’re curious about the current status of the badge project, I have a useful summary in the presentation “Core Infrastructure Initiative (CII) Best Practices Badge in 2019” (2019-03-14) - https://

FYI: In our effort to keep the Best Practices Badge website running smoothly, we just upgraded from the Rails 5.1 to Rails 5.2 (specifically version 5.2.2). If you notice a problem, please let us know

Daniel Heckhenberg: > Daniel and David, you've both clarified the essential point: analysis tools detect errors or potentially error-prone code which only become identified vulnerabilities in larger c

Daniel Stenberg: I think that is the usual case. Use tools & tests so potential problems can be found & fixed before release. Since they aren't in a release, those normally potential problems do not n

All: The StackStorm has received a passing badge earlier this year. I had an interaction with them that you might find interesting - in particular, it shows that there are people who care whether or n

We’ve hit a milestone – we now have over 2000 projects participating in the CII Best Practices badge! You can see the statistics here: https://bestpractices.coreinfrastructure.org/en/project_stats My

There's a new video on Youtube, "Introduction to the CII best practices badge", at: https://youtu.be/JMptmhV06j8 As you can probably guess, it provides a brief (11 1/2 minute) introduction/overview ab