All audit related information such as reports, issues, history etc. will be placed in this repo.
| Date | Audit target | Auditor |
|---|---|---|
| June 2018 | Badgr (static/dynamic on both SURFnet repos) and badges | Radically Open Security |
For security related issues we use the following labels for risks:
| Name | Risk level |
|---|---|
| risk-severe (red) | Severe risk |
| risk-high (orange) | High risk |
| risk-elevated (yellow | Significant risk |
| risk-moderate (blue) | General risk |
| risk-low (green) | Low risk |
And the following labels for categories:
| Name | Purpose |
|---|---|
| bug-security (red) | All security issues without a more specific label |
| bug-infrastructure (pink) | Infrastructural issues |
| bug-legal (teal) | Legal issues |
| bug-functionality (blue) | Abuse of functionality |
| bug-denial-of-service (red) | Denial of services |
| bug-data-corruption (red) | Data corruption |
| bug-data-manipulation (red) | Data manipulation |
| bug-file-upload (red) | File upload security issues |
| bug-forgery (red) | Forgery issues |
| bug-infoleak (red) | Information leakage |
| bug-injection (red) | Injection of code or other stuff |
| bug-outdated (red) | Outdated software |
The first comprehensive audit was done in june 2018. The whole Badgr code (excluding most dependencies), SURFnet's additions to it, the Open Badge concept/implementation of the specification and the development environment of SURFnet were part of the audit. Through static analysis and dynamic analysis, issues were found.