What I’m thinking is when they create a project or account automatically send them an email with a passcode for verification so you do it for each new project.

Require them to validate their email address.

David We may want to start caveating the advanced criteria for areas where a specific point may not apply. Mark

David You may also want to ask OWASP/ZAP what they use since they extensively internationalize. Mark

David While browsing through the list this just caught my eye. Upgrade: Reporting Upgrade enhancement_responses: SHOULD to MUST. "The project MUST respond to a majority of enhancement requests in the

David I sent you details, but after downloading the code I get two errors. The first 1. rake db:reset fails. This is needed to reset the test database and cause schema updates on test systems. 2. rake

David Im reading through the level criteria right now. One thought that comes to mind by way of design. If you are going to have multiple levels I would suggest changes to the web site where by the cr

David That's good news except for the dot problem. Mark

David Or maybe make that a criteria for moving from level 1 to level n. Migration from http to https. Mark

David For your explicit exception Create an explicit exception for users of Github Pages who implement a Cloudfare proxy according to <https://blog.cloudflare.com/secure-and-fast-github-pages-with-clo

David In some ways this goes back to my suggestion and perform auto checks to see if progress is being made. That way their progress can be auto updated as much as possible. Mark

David The bad thing is UBUNTU. Mark

Humm After seeing your statistics and looking at the 14 unknowns it looks like a binary option might be better. It could be git or other, with maybe a comment field for other.