[nicce]

It is misleading to tell about audits in this context.

Your transparency statement clearly says that Security audits. This is different than privacy audits. You cannot audit privacy, since you can intentionally change the functionality of your software right after the audit.

For the same reason, you cannot share open-source version of your software and say that it respects privacy. That can be only said if you use reproducible builds, and for client software only.

Both security audits and sharing your software as open, is about security, not the privacy. Open-source software and security audits help to reduce unintentional issues. And in this context it means a lot.

[amilich]

Actually, that's completely false. Security audits are a standard, reputable process for software. Trail of Bits is probably the best (or one of very few top) firms in this category. Check out: https://github.com/trailofbits

[nicce]

Is Trail of Bits doing random checks on your running infrastucture to verify that you are not changing your software against your users?

No. That is not what security audits are. Security audits ensure that software does safely what you, as service orderer claim, in a single moment. Usually including checklist.

But they cannot guarantee that you don’t change software between audits.

That is why E2EE exists as then it does not matter and we don’t need to trust.

Open-source, security audited client for E2EE communication with reproducible builds is the magical, correct combination to ensure both security and privacy.

[amilich]

That's why Skiff has had 4 security audits, not just 1 3 years ago. And, with multiple of the best auditors.

[tptacek]

What exactly got tested in each of these assessments, and what conclusions did those assessments draw? I asked this upthread and I'm asking here again, because "we've had 4 audits" doesn't mean anything without that detail.