The Open Technology Fund provides free security audits for open source projects.

Apply here: https://apply.opentech.fund/red-team-lab/

This is not meant to be passive aggressive but it's going to sound like it is; how much would an audit actually cost? If someone set up a GoFundMe for a Tox audit, I would definitely contribute ten bucks to make that happen.

I don't think it's passive aggressive at all. I'm a bit embarrassed to say, but I honestly don't remember. My best guess from what I do remember the last time it was discussed, was in the 2k to 10k range. But it could expand rapidly depending on who, and what level we actually hired someone at. The primary reason we didn't set up crowdfunding ourselves was there was a few important changes we wanted to make a decision on and implement first. I still don't think they've been made, but I'm not following super close anymore.

Even if we go on the higher end of that, 10 grand doesn't seem that high for an audience of engineers (which I think is overrepresented on Hacker News). I know people have been complaining about a lack of a security audit since 2016; I think at this point it would be worth doing an audit now, and potentially another audit when new features are added.

If I were in any way involved in the project I would set up the campaign myself, but sadly I don't know enough C to be useful to a project like this (unless there was a plan to rewrite it in some esoteric functional language for some reason).

you might want to reach out to zugz (via our IRC, or github), He's also a fan of esoteric functional, so you might be able to convince him to start one. Iphy has a repo with the start of a Haskell implementation as proof of the completeness of the spec. No idea what the stat of that is, but again, might be worth reaching out :)

Most of the users of Tox don't want to be identified, so it's a bit difficult to crowd fund such a thing.