![]() They used a tool called Fortify to analyze the source code of applications. Maybe you can see from these reports what issues were found in the other password managers and analyze your code and make sure, that this is not happening in KeePassXC.Īnd you see the companies that made the audit and ask them for a concrete price offer.Īt work I talked some years ago to the ISO. ![]() The information about KeePass is taken from the official website: KeePass Full Code Review Results Report ( ).I really know nothing about FOSSA, I just read in in the c't magazine and wanted to post this information here.Īnd you also should have a look at the code audits of other password managers: Maybe we get some financial support from the FOSSA project for a code audit? Maybe we can suggest to add KeePassXC to this project, so maybe it it considered in the future (hopefully there will be an FOSSA 3 project)? Instead of in addition to KeePass, maybe next time also try to include KeePassXC, which is cross-platform compatible and offers more features. There are two versions of the format: KeePass 1.x (Classic) and KeePass 2.x. It is an alternative to online password managers and is supported on all major platforms. In the FOSSA 2 project (2017-2020) they offer Bug Bounties on important Free Software projects (where KeePass is also listed). KeePass is an encrypted password database format. In the FOSSA project (2015-2016) KeePass received a security audit. This software is published, it has a nice website and real users, so why wait?īeta Was this translation helpful? Give feedback.ĭid you know that the European Union started some years a project called Free and Open Source Software Audit (FOSSA)? settings -> security and privacy -> files and applications That way, KeepassX wont be recorded in ZeitGeist or the Dash and for example Diodon, will not add passwords to the history list. It sounds a bit like "let's wait for the software to be finished", but software never is. To exclude KeepassX from adding passwords to the clipboard history, add KeepassX to the exclude list in. This is a valid argument (albeit not made by the FAQ entry), but to me, it's not very convincing. OTOH, and you, suggested that before having an audit, the project should increase test coverage and have a stable version. Then, the FAQ entry says audits don't really "prove" security, which I totally agree with, but that fact has no effect on whether to apply to a program that awards free audits. In fact, it even says "Maybe you can beg OSTIF or OTF for funding a KeePassXC audit", and I merely suggested someone else to "beg" (though I don't find that term appropriate). The entry says that the project has no money, but Mozilla SOS is a grant program. Maybe we can start with the most critic parts like core, crypto and keys (2100 USD)?ĮDIT it seems that src/zxcvbn/dict-src.h is made by quite some lines and, I think, can be safely skipped by a security audit Well, I see nothing in that FAQ entry that indicates why KeepassXC should not apply to that program. ![]() I am no security code experts but I have read online that an estimate could be:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |