CII Badging community, I just updated the ESAPI project on the CII Badges site to account for a newly discovered CVE. Specifically, I added this verbiage: Most Software Compositional Analysis tools /

David, et al, Does the username / password for https://bestpractices.coreinfrastructure.org/ now require it to be done via GitHub? I just tried to login using my Gmail account (which was how I registe

I have no objections, but how will moving from CVSSv2 to CVSSv3 affect things if NVD only has CVSSv2 scores available for the particular CVE? Would there be an expectation that we would need to deal w

<daniel.heckenberg@...> wrote: Daniel, The DHS SWAMP (https://www.dhs.gov/science-and-technology/csd-swamp) might have some things. I recall talking to Kevin Greene (BCC'd) at an AppSec USA conf

David, First, apologies for top posting. I don't usually do that, but I have a bunch of emails to reply to tonight. In general, I am against relaxing the 2 silver requirements for Zephyr or any other

That's fine, but I think that it should be worded so that it doesn't come across as an endorsement for CloudFlare. E.g., such as CloudFlare, Akamai, Rackspace, MaxCDN, <insert-your-favorite-CDN-provid

Quick question: Are there any CDNs that the security community should NOT accept as okay, e.g., ones that have poor reputation wrt security? If so, we should list them or criteria of what makes them b

David, My $.02 on the early draft. Note that I've not gone back to review the base criteria and it's been awhile since I've revisited that so apologies if I mention something that is already there. **

Just wondering what everyone's thoughts are about when a project should consider a particular issue related to the badging process to be completed. Can we / should we consider something completed only

David, You wrote: > There are a lot of moving parts in this algorithm, but I think it's clear. I just want to make sure that we avoid lots of nagging - the goal is to encourage people, not to bother t

David, I prefer the original 60 day proposal over the 30 day notice. Some of the projects listed probably don't have all the most volunteer help (I know ESAPI does not), and addressing some of these t

David, Sorry a bit late with this feedback. I hope it is the type of feedback that you are looking for. I can't speak for others, but I guess the one that I'm "struggling" with the most (translate "is

David, Do you also want to know changes we have made (thus far) for the sole purpose of pursuing a badge not yet obtained? Because, I may not be able to recall all of them once we finally arrive as th

Okay, well here it is in <https://drive.google.com/file/d/0B3Yc2oc1Z9n5UjBkb2dWWWJpRGM/view?usp=sharing> as an Open Document Spreadsheet (.ods, like what LibreCalc uses). The first worksheet is just t

David, Thanks for taking the time to do this. I plan on taking a look at it this weekend and see if anything interesting jumps out at me. Just one question though...I'm trying to recall if '?' is the

David, This is interesting, but as an AppSec practitioner, it doesn't address what I'm most interested in, which is where, how, and why are projects failing. I think the most interesting statistic wou

I'm in favor of it, with this caveat... just because a specification project uses a FLOSS approved license like CC-BY-4.0 as David mentioned, that would not necessarily imply that resulting spec would

Actually, I went back and looked at it and it does NOT store plaintext passwords; they are stored as hashes in a text file as: account id | account name | hashed password | roles | lockout | status |

Thanks for that. I fired off an email to them. I'm honestly hoping that it's not as a big of a pain in the ass to get a CPE issued as it is to convince Mitre and them to accept a proposed CVE. (That w

Thanks that feedback was useful and interesting. In particular, the proposed roadmap at https://github.com/linuxfoundation/cii-best-practices-badge/blob/master/doc/other.md was captivating. Good to kn