[chpmrc]

Let's say there's a higher chance that you'll be able to sign a contract with Google or Microsoft that allows you to sue the $$$ out of them if something happens, than hoping to get anything from ankitpokhrel on GitHub whose bio says "I have no idea what I do".

(Nothing against ankitpokhrel and this great tool, just making a point in a slightly sarcastic way)

[BossingAround]

It's open source. If you want to use the functionality but don't trust a random internet user named ankitpokhrel, you can literally gut the project, copy-paste the code you understand, get basic functionality to work, and you can be pretty much certain that there is nothing nefarious going on.

I have done that multiple times. It's not very time demanding, because the working code is there, and all you're doing is essentially deleting code you either don't understand, or don't need. At the same time, you're reading the code you do use.

[edgyquant]

Which the IT guy won’t want to do and will tell you to just use the web interface

[cuteboy19]

And imagine yourself in the IT guys shoes. Some rando expects you to audit something that at most one or two people use and probably contains a hundred vulns which would very likely never be fixed anyways. Why would you bother with such a request

[BossingAround]

We do that frequently. "I wrote this code" -> audit while I use my code -> "OK/please fix this or that".

I am the customer of our IT, I don't know why it should be any other way. It's noteworthy though that I don't work in a tightly regulated sector.

[chpmrc]

The premise is that you don't want to audit the source. It's extremely costly and you end up doing it for every update.

[fulafel]

I would bet it's easier to do it with a 1 man company, the megacorps are famous for firewalling themselves from liability with very good contract lawyers.

You may also be able to get 3rd party insurance for this.

[chpmrc]

The 1 man company doesn't have deep enough pockets to actually repay damages and can easily declare bankruptcy.