Certification and real obligations
Certification is not a legal requirement. It is imposed by some private actors, often themselves subject to consent.
This creates confusion between regulatory compliance and commercial requirements.
A questionable closed ecosystem
Making CMPs pay for certification by actors within the same ecosystem raises obvious neutrality issues.
This model favors connections over technical analysis.
An assumed position
tarteaucitron will never be certified by a consent-dependent third party.
This aligns with what tarteaucitron will never do.
What really matters
Code audits and responsible vulnerability disclosures bring far more value than certification badges.
The recent security fix is a good illustration.