@bagder Of course it great if a team of security experts look at your code, but I wonder what the value is of "company x looked at the code of product y with version z for n time and found some issues".
Perhaps there is more value in documenting the development approach and which steps are taken to minimise the attack surface. Especially going forward where people may say "using anything written in #clang is irresponsible".
@alexband if they could find bad patterns or otherwise point out things we could improve in our process or development model, it would benefit us more than just as a single-shot review. Also, in this case they did provide improvements to our fuzzer and worked on the threat model which are values that also a bit longer term than just a snapshot in time.
This was a gift to us and I think it helped us. I don't see any downside in that.
It does not in any way mean that we are "done" or "finished"
daniel:// stenberg://
Alex Band