Here's some data to work from. Below is a short Ruby snippet to sum up the results for each criterion, followed by a CSV formatted result from when it was executed. Anyone who's interested can load th

Emily, David, all My name is Sona Sarmadi, I am one of the OPNFV security members. I am leading the LF Badging Program for OPNFV project, I have created some tasks in Jira for all criteria/items we ne

We have another project with a passing badge: GnuPG. Details here: https://bestpractices.coreinfrastructure.org/projects/197 That’s an important project that many depend on, so I’m very glad to see it

The badging project was designed for “FLOSS projects” - and we had expected only projects with *code* would be asking for a badge. However, project #180 takes an unexpected new direction: it’s a proje

In case you haven’t seen it… FLOSS weekly had a show where Emily & I talked about the best practices badge: https://twit.tv/shows/floss-weekly/episodes/389 There’s also a Linux.com article about the b

I got a nice email from Colin O'Dell, who got a badge for league/commonmark (a CommonMark implementation). The badge entry is here: https://bestpractices.coreinfrastructure.org/projects/126 In the ema

Hope you are ready for some more questions and comments. :) 1) One question asks for the CPE name and refers to https://nvd.nist.gov/cpe.cfm I looked all over that page and still was unable to find ho

Okay, this is a question about interpretations of the 'crypto_password_storage' question. The question I am referring to was this: If passwords are stored for authentication of external users, the pro

Okay, my intent is to try to keep my emails short with only one or two main comments per post. So, first, please give me the "big picture"? 1) What is the overall intent? Is the primary focus merely o

Okay, I'm through with my initial questions (at least until I first get some answers to the other questions that I asked), but I do have a few comments. To me one of the most significant indicators re

Hello. This is my first post to this mailing list. At the urging of some other OWASP colleagues, I recently completed filling out all the CII Badging for the OWASP ESAPI 2.x project (/ESAPI/esapi-java

Greeting to the list members. Excited to see this project moving. OWASP Foundation www.owasp.org with rough concensous is also going to intergrate into the gamification process and drive all projects

Hi All, The section on Dynamic Analysis appears to be mandatory. My application is pretty much all Puppet code and I'm not quite sure how to perform dynamic analysis on this code. Any suggestions woul

We have at least one project that doesn't have full HTTPS support on their project sites (sites_https). We already mentioned Let's Encrypt, but their case, the problem seems to be that Github lacks na

All - here's a press release with more information about the badging project launch: https://www.coreinfrastructure.org/news/announcements/2016/05/free-badge-program-signals-what-open-source-projects-

I suspect everyone here already knows, but in case you didn’t, we’ve officially launched. That doesn’t mean the work ends; in some sense, it’s only beginning. Now that people are seriously trying to g

Hi list -- A topic near and dear to my heart is how both open source and proprietary software handle vulnerability disclosures. The National Telecommunications and Information Administration, part of

I propose that we try (as a group) to create a potential criterion for cryptographic signatures. We can then decide if it's appropriate to add at this time & at this level. Here's a first cut (markdow

Here’s info for those are co-developing the BadgeApp application… A *big* thanks to Dan Kohn, who fixed our test framework so that we can include web browser tests with Javascript. We’ve had the capab

Hi, Hope I'm not too late to propose a change. I'm currently on a mission to tell every foss dev that they should test their stuff with asan. Now there currently already is a rule for that in the badg