Code audits are mostly focused on the public CAcert web site since it represents the exposed surface of the CAcert system and interact directly with openssl.

These are some policies that can help both developers in writing secure code and auditors in finding missing security features and bad practices.

Auditors can check the code both by it's inputs (eg: grep "_POST\|_GET\|_COOKIE\|_SESSION\|_SERVER\|$GLOBALS\|[..etc..]" ./ -R) and by sensible functions: for example execution calls (grep "exec\|passthru\|system\|[..etc..]" ./ -R), file includes (grep "require_once\|require\|include_once\|include\|[..etc..]" ./ -R), dynamic evaluations (eval(), $$variable, $$function()), file operations (fopen, file_[get|put]_contents, etc), database operations and any other function that could be of trouble.