alt Hacker NewsI'm not wild about this benchmark. There are well-known firms (definitely not saying that about Trail! no experience at all with the other one here) that issue public-facing audit docs that read the same no matter what the project scope was.
If you're keying off 3rd party assessment, which is sane, you should be evaluating the combination of the testing team (the best firms will publish reports with the names of the consultants on them) and the scope and depth of the results. The company shouldn't matter; the scope should matter a lot.
A meaningful security assessment for an "E2EE mail service" is nosebleed expensive.
Did not expect this post to get all this attention. I've done a little digging and found the operator on X. Had some DMs and he(?) said that they've had 1 black box and 3 white box audits. I'm not going to speak for anyone, so maybe you can ask them directly.