zlacker

> Why don't they do this?

Because the idea that all you need to do to ensure software is secure is hire an expensive consultant is ridiculous.

Especially with a web browser which are highly complex pieces of software.

>>threes+(OP)
"the idea that all you need to do to ensure software is secure is hire an expensive consultant is ridiculous"

Taking Apple's word for their browser being secure and other browsers not is just as if not even more ridiculous.

What fair, independent way of determining browser security would you suggest be used instead of an audit?

>>pmoria+M
This isn't a competition for 'most secure' necessarily. Rather, simply reducing the surface area for attack is positive from a security perspective. If there's some vulnerability in iOS that come from being able to make pages executable, if you only have Safari JIT-ing you have to find a bug in Safari, or the app store review process (and get the user to download your app). If iOS runs Chrome as well, you can find a bug in _either_ Safari _or_ Chrome.

While that's just Safari and Chrome, that's probably ok. But what happens when it's Safari, Chrome, Firefox, Opera, Brave, etc, etc?

For the security test, there are various ways that an org builds software with integrity, and it's the sort of thing that requires a huge amount of effort to get right. Standards like FedRAMP, SOC2, ISO9001, etc etc are the sorts of standardized things that exist (containing things like 'all code must be reviewed'). I think for a browser, if you were Apple and were looking to accept other browser partners, you'd likely do something like this; regular audits of quality, requirements that must be met to maintain access, pentests, basically a continuous process that's to be met by the supplier (similar to how hardware suppliers must meet many requirements).