Michael Scovetta

Sorry about that! My fault. (For future readers -- I *was* able to get this working for v2 by downloading [msys2](https://www.msys2.org/), installing it, and then adding it to the environment...

A few public resources on dangerous T-SQL: - https://technet.microsoft.com/en-us/library/aa175398(v=sql.80).aspx - https://www.owasp.org/index.php/Testing_for_SQL_Server - https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/#3 - https://www.exploit-db.com/papers/12975/

Sorry @klawrawkz - I know our documentation isn't as good as it should be. I'm sorry for that. As to why this is reported -- since the Invoke-Command is often...

Sorry, we don't have this on our roadmap, but we'll take a look at what it would take to port, since the extension models between VS and VS/Mac are very...

Alternatively, a directory structure where all of the supporting files were stored in a separate directory, like: ``` attack_surface_analyzer.exe readme.txt resources\ resources\foo.dll resources\bar.dll … ``` I think this would be...

That would certainly work for me.

We haven't decided yet, but I'm leaning toward a [SCIM](https://github.com/microsoft/scim) store for assertions (perhaps "Omega processed pkg:npm/[email protected] and did not find a critical vulnerability"). But we're a ways off from...

We could also do a best-effort validation at PR time -- e.g. words like "undisclosed", "0-day", "did not respond" or similar could show up as a PR comment and encourage...

We added additional information to the [wiki](https://github.com/ossf/security-reviews/wiki/Disclosure-Policy) and to the quickstart. I think we should also have a pull request template for this.

Some thoughts -- happy to get others' opinions, too! **A third party security audit of an open source codebase by a security firm? (Assuming yes)** Correct, this should definitely be...