Achieve CII Best Practices Badge

[jorgeyp]

Further info

• [ ] Have a stable website, which says:
  • [x] what it does
  • [x] how to get it
  • [ ] how to give feedback
  • [ ] how to contribute and preferred styles
• [x] Explicitly specify a FLOSS license
• [x] Support HTTPS on the project sites
• [ ] Document how to install and run (securely), and any API
• [x] Have a distributed **public version control system,
• [x] including changes between releases**:
  • [x] Give each release a unique version, using semantic versioning format
  • [x] Give a summary of changes for each release, identifying any fixed vulnerabilities
• [ ] Allow bug reports to be submitted, archived and tracked:
  • [ ] Acknowledge/respond to bugs & enhancement requests, rather than ignoring them
  • [ ] Have a secure, documented process for reporting vulnerabilities
  • [ ] Respond within 14 days, and fix vulnerabilities, within 60 days if they're public
• [ ] Have a build that works, using standard open-source tools
  • [ ] Enable (and fix) compiler warnings and lint-like checks
  • [ ] Run other static analysis tools and fix exploitable problems
• [ ] Have an automated test suite that covers most of the code/functionality, and officially require new tests for new code
• [ ] Automate running the tests on all changes, and apply dynamic checks:
  • [ ] Run memory/behaviour analysis tools (sanitizers/Valgrind etc.)
  • [ ] Run a fuzzer or web-scanner over the code
• [ ] Have a developer who understands secure software and common vulnerability errors
• [ ] If cryptography is used:
  • [ ] Use public protocols/algorithm
  • [ ] Don't re-implement standard functionality
  • [ ] Use open-source cryptography
  • [ ] Use key lengths that will stay secure
  • [ ] Don't use known-broken or known-weak algorithms
  • [ ] Use algorithms with forward secrecy
  • [ ] Store any passwords with iterated, salted, hashes using a key-stretching algorithm
  • [ ] Use cryptographic random number sources