Sadly, though, there is only one party offering to take a huge sum of money to crawl through code for a few weeks or possibly months. And it seems to me that the parties offering to do the work have a vested interest in the results coming out "negative for NSA bugs".
This means ( as others here have pointed out ) that there cannot truly be independent verification. As someone else points out, the money would be better spent on bug hunts.
The approach bears the mark of vigilantism. I say that, because encryption operating outside of scientific controls isn't trustworthy encryption. Anything that even touches the subject of encryption and expects to come away tinged with credibility needs to be isolated under scientifically controlled conditions.
Without the financially disinterested, scientifically and academically conglomerate third party offering to perform this same role as a purely academic public service, the scientific control doesn't exist.
You might point out that Green & White are academics, but also read in the article that they are going to take the money and hire an auditing company to do the actual work. That company is at this time completely up in the air. So the academe is thrown right out. The company could decide to hide troubling lines of code from Green & White. and give the code a clean audit. Who is going to raise the other $50,000 to cross-verify using similar means, when that means is so flawed that it obviously cries out for cross verification?
And what are Green & White hoping to get out of this? Are they going to become some sort of security world fixers? Are they going to become the secret holy grail of opportunistic businesspersons, the mythological "information brokers"? They aren't starting out with a purely academic premise or approach, so this is not going to be all that worthwhile for their academe so much as for their standing in that cross-ways between what Eisenhower referred to as "the military industrial complex" and what he referred to as "the educational research complex".
And our hypothetical, white-horse scientific group's work would have to be redundant. No part of the code could be independently verified by one person -- each procedure and call would have to be pored over by a panel to verify unanimously ( with the group ) that the conclusion about the reliability of the code segment was sound and that that section of code is trustworthy. Can we say anything like that is going to happen as this group of a few people munches and dines its way through the $50,000?
And this smacks of advertising. We're in a time, now, just after numerous encryption, secured storage, and secured email services have self-destructed in the wake of serious allegations of domestic spying. Apparently they found that they were either currently compromised, were facing a future of being compromised, or could not handle the pressure that the NSA was putting on them immediate or projected.
That's entirely the reason why this is happening -- to take a product that is popular and to scrutinize it carefully, taking advantage of its open source to contrast how different that reality is from the reality of closed box cloud services. It's a brand demonstration for the open source community in the least sense, but in a greater sense it's a product demonstration for TrueCrypt. Even TrueCrypt has rung in its "approval" of the audit.
We have people asking "who's auditing the auditors", "whose watching the watchdogs", etc. But who's watching this, this whole fiasco? A very limited crowd of people for whom it's not really a learning experience so much as reminder of the drudgery and toil that code and coding actually represent.
Let's ask ourselves seriously why this code isn't already vouchsafed by the community, first of all. If you can't take a completely open group that could theoretically consist of anybody with a computer terminal and say that this sample group -- the open source community, basically the world at large -- is sufficient to represent disinterest, then how are you going to somehow sample disinterest with a tiny handful of people? Who are doing it for profit? Who aren't even pursuing it in a scientifically controlled or purely academic manner? Obviously just turning the effort of auditing the code out to the open source community (and world at large) would be far more secure, and could potentially cost nothing. I'm sure a few million coders putting in bed-reading-time or youtube-subscription-catchup time could cross verify the entire thing to a satisfactory number of degrees of separation in good time. The effort would always be there for other people to join in and vouchsafe or re-verify. Why should this process occur in a closed laboratory?
Obviously the reason this sort of massively distributed auditing isn't occurring isn't just the logistics of it. It could be organized using any number of existing networks including Usenet, mailing lists (or would that be too vulnerable to tampering), and IRC. There is some psychological barrier to the work being already well done and established.
This brings me back to my point about how this all smacks of marketing to a specific niche crowd, the open source crowd. Now we can see clearly that the open source crowd ISN'T the go-getter, constantly vigilant, ultra-paranoid crowd that millions of Starbucks customers claim it to be. It's just another marketable consumer demographic, and this is how you market products to it.
With subterfuge and laziness.