Project Re-audit Criteria

Code churn – X% of the overall codebase has changed since the last audit.
- We can pull this from the Bitergia analytics platform.
Security code changes – security sensitive areas of the code (e.g. API's, identity management, crypto code) have been changed substantially or rewritten.
- We will need to tag certain files as "security sensitive" somehow.
Major version change – this is a strong consideration but not an automatic trigger.
- This will require team feedback. If the team recommends a new audit then that should be considered.
Large number of security bug reports – X number of medium and high security bugs reported over a short period of time such as three months should make us think about hiring professionals to try to find the rest.
- These stats can be pulled from the HackerOne platform.