There’s a name for the estimation problems my mother liked to pose: Fermi Problems, named after the Italian physicist Enrico Fermi, who had an uncanny knack for making spot-on approximations with little actual data on hand
The goal here
isn’t knowing the exact number
but rather being able to estimate the right order of magnitude using nothing but common sense.
If you didn’t limit yourself to the questions you knew Google had a ready answer for, what would you want to know?
The point is to imagine the infinite cosmos, not to organize it, label it or conquer it.
Can anyone with experience in this field provide an estimate for how much this kind of audit costs? Just considering the viability of open source projects fundraising to cover the cost of an audit.
Penetration tester here - My anecdotal experience:
I've worked on a number of projects where bill rate is something like $250-$400/hr per engineer
depending on complexity, access to source code, size of the project, etc.
Usually equating to something like 10-12k for a single engineer on a project for a week.
For bigger projects like this I would think it's totally reasonable to see anything from 4 engineering weeks -> 12 engineering weeks
depending on different pieces and especially given this is a very high profile project.
Based on that estimate of something between ~40k-120k.
IncludeSecurity [Erik, CEO of IncludeSec].
We do many FOSS audits for Mozilla, OpenTechFund, etc.
To give you a ballpark, estimate
$10k to $40k for small projects,
$40k to $80k for medium sized projects, and
$80k to $150k for large projects.