I think that this proposal is very interesting, is important to have our security standards high but I'm confused, shouldn't be the Keychain team who has to hire that auditory?. They could make their own proposal, or afford it directly. After all is their service the one that will have the benefit of it.
I think that I'll support this anyways but any answer is welcome.
The idea is having an independent part that is not in anyway part of the same team.
Well that's the expected when you hire an auditory, wouldn't have sense otherwise but I get your point.
We're running on a 9k/month budget, it would mean consuming over 2 months budget every time, we push an update (and push a lot of those to always keep it secure and up to date), So, this wouldn't be feasible for us at this stage.
Would have been enough with another specific proposal for the auditory then. Is good that someone else cared to do it though.