Yes, as mentioned in the blog post, we worked with Security Innovation to do a week long security assessment with full access to source code, design documents and endpoints.
We also have a long term consulting arrangement with a widely respected security architect, and they helped review our design and implementation.
Additionally, BuzzFeed has a bug bounty program on hackerone (https://hackerone.com/buzzfeed), and have invited partipating researchers to report on any issues found. We’ve paid out bounties for a number of minor issues, which were addressed prior to open-sourcing.
> In preparation for open sourcing we also engaged with Security Innovation, a widely respected agency who count Microsoft, Symantec, and Amazon as clients, to do a more in-depth, week long assessment, with full access to source code and design documents. This found no major issues, which gives us the confidence to open source sso today.
That is understood, and is always why we engaged with some of the top researchers who contribute to our bug bounty program, from the start with this project.
For example offering increased bounties during certain windows, or providing early access to the source code.
We highly value our bug bounty program, and find it to be a very effective mechanism for continuous security validation.
I'll write a tech blog post in the near future about how we facilitate our program.
We also have a long term consulting arrangement with a widely respected security architect, and they helped review our design and implementation.
Additionally, BuzzFeed has a bug bounty program on hackerone (https://hackerone.com/buzzfeed), and have invited partipating researchers to report on any issues found. We’ve paid out bounties for a number of minor issues, which were addressed prior to open-sourcing.
Additionally, knowing that security is never done, we continue to make it eligible for bounties -- see https://github.com/buzzfeed/sso/blob/master/README.md#securi...