Comment on Do you actually audit open source projects you download?

jagged_circle@feddit.nl ⁨6⁩ ⁨days⁩ ago

I usually just look for CVEs. The biggest red flag is if there’s 0 CVEs. The yellow flag is if the CVEs exist, but they don’t have a prominent notice on their site about it.

Best case is they have a lot of CVEs, they have detailed notices on their sites that were published very shortly after the CVE was published, and they have an bug bounty program setup.

source
Sort:hotnewtop