Go through bestpractices.coreinfrastructure.org and finish the points that need coverage

[kerber0x]

There are few items that need to be revised:

[ ] Documentation [ ] include interim versions and not only releases [ ] The release notes MUST identify every publicly known run-time vulnerability fixed in this release that already had a CVE assignment or similar when the release was created [ ] Test policy [ ] be maximally strict with warnings in the software produced by the project, where practical. [ ] Use basic good cryptographic practices [ ] Static/Dynamic code analysis

[kerber0x]

Look at "New functionality testing" for the criteria that are looked after.

[kerber0x]

This is an ongoing effort.