There seems to be no formalised way to get a Certified Secure status. I have PM'd Śyama_Dāsa over a month ago about certifying one of my modules and was told I'd get a price for it in a few days. This didn't happen and I've received no replies to follow up posts to see what's going on.
Is this program just for certain dev's or are you actually going to have an ongoing programme to review module code? Right now it looks like an invited list and therefore amounts to little more than self gratification and of no real use, either to people looking for secure modules or for authors wanting to ensure that their code is any good. Right now it looks like all CPG dev's code is all nice and secure and certified and everyone else's is a hopeless hacker feast.
I'll chime in with I've have submitted my module, received a quote, paid the quote, received first set of responses and waiting on the second set.
It has been a very long process as I sent the first response back in 8/12/05. The second response has been waiting since 02/06.
I don't mind paying the big price, but it has been frustrating with the time frame of getting responses. I'll give Syama some slack as I have not stated my opinions to him in a PM, but the fact that it has been seven months now...
The information that I did get from him on the first round was VERY helpfull and has helped my DF coding skills greatly.
The programme should be open and formal, not just via an adhoc PM request. There also should be documentation on what secure means in the context of "certified secure" and also for that matter what is checked to meet this security.
The program should be about encouraging better coding especially WRT security. It would be helpful to set out the basic minimum security coding standards for common functions, including examples of secure and insecure coding. That way we could do that up front and the code would be more easily checked and the dev experience put to looking at more complex functions.
Also, in fact, "certified" is misleading, since it isn't certified in any way at all. It is still released under the "no warrantee, no comeback" GPL license and like the core code not actually certified as fit for any purpose whatsoever legally.
What it means right now is:
"I paid a CPG-Nuke DEV a bunch of cash to check my code and he said it was all right security wise".
This is fine, and IMO, still useful for the first module checked. I pay to benefit from their experiences, however this would become old real quick after 3 or 4 modules and going forward it would be of dubious value. I mean, I match all my competitors on price as it is, so I don't stand to make a lot more from sales by getting the tins stamped "Real Meat".
Also how does this work with upgrades? Version 1.0 certified secure, then I release 1.1. Do I need to get it recertified? What about bug fixes (say in the formatting).
In any case, doesn't this all end up about as useful as "Contents Hot" on a coffee cup - true enough to scold your privates when you buy it but just wait a bit a it's a total lie.