CorOS 2.0.3 is now available

Worked a treat. Thanks all.

Thanks for the update 2.0.3!

I’m sure this was done internally, you wouldn’t see audit results anyway.

1 Like

thanks ndsp, keep growing :muscle:

Thanks for chiming in! That is correct, I’m sure they’ve done an internal audit of the code. However, when it comes to security they should really do an independent security audit, which is usually a marketing point for any company (I should have been more specific in my reference, my apologies). Most major companies to get a security audit usually advertise that this has been done because it gives assurance that their software is secure and is standard practice in mission-critical InfoSec and NetSec. All the tech giants (e.g., Amazon, Facebook, Google, Mozilla, etc.) have done security audits from reputable security firms (e.g., Cure53, NCC Group, Bishop Fox, etc.). The thinking behind it is that it’s difficult to have the same team who created the holes also see clearly enough to fix the same holes they created, sort of the same reason why magazines or major newspapers hire editors. As a software engineer I learned that peer-reviewed code is generally much safer. On some of my projects on some occasions I would spend say an hour writing code, then say 10 hours debugging that same code weeks later downstream. This principle is also why the strongest encryption libraries (e.g., cryptlib, openpgp, openssl, NaCl, etc.) have all been widely audited by a large community of security experts who also in turn use them. Here’s an example of an independent security audit of the gopenpgp encryption library by SEC Consult: It doesn’t have to be an encryption library, it can be a website or anything that involves software.

The security firm usually does deep penetration testing or peer-reviews the code and sends the company all the holes they’ve identified. That company then patches all the holes and sends it back to the firm, they repeat, and if no further holes are found, they can then say that their software has been audited. There are some large companies that do this regularly, if the code base changes significantly.

It usually isn’t too much of diversion of development time resources for a company to do an audit. It’s just that getting an independent security audit isn’t cheap (but on the other hand, neither are lawsuits or class-action cases [such as what’s happening to Udemy right now] or incidents like these that affect perceptions that may decrease the sale of items such as is what may happen to the Quad Cortex).


Yesterday I backed up my QC and downloaded the update. Everything went well and I can see no issues at all. I cannot imagine how much work you guys must be doing. I wanted to take the time to thank you for it. God bless your efforts and give you the grace to get it done without driving yourselves crazy!