I'm willing to throw money at this idea, but it relies heavily on like-minded people to do the same - including developers. This may be pushing **** uphill but how about we (the customers) take some responsibility and not leave all the crap for Xenforo to deal with.
How about we set up a website - not affiliated with Xenforo - which is community funded. This site can allow Xenforo developers to sign up and hold an account. Every developer account can have "trust" level. The level of trust can depend on how many people audited their addon(s) code and rated the trustworthiness of the code. This is not to be confused with a review and general functionality of the addon, nor the professionalism level of the developer.
At first, we will allow the developers who have already made a name for themselves to hold an account with a "trust" badge. This gives us something to build off and saves money. - The directory starts to come to life. These developers can include a "badge of honour" in their addons. So, posting an addon to Xenforo's resources will allow them to include a little badge to "Xenforo-Audited-Code-Community-But-A-Better-Name.com" and that will show who audited their code, when it was last audited, and a trust rating.
New developers who are unknown can submit their addons to the site to allow them to be audited. As soon as their addon gets audited by a trusted developer ( a hired developer - at least at first ), it automatically gives that developer a "trusted" level (maybe 8/10 pending further auditing).
The money to pay for this is generated by donations ( I am happy to pump a few hundred into it at first ).
After a while, the badge of honour will have actual worth to it - as it means money has been exchanged for auditing services which the developer didn't pay for. As soon as people see the worth of the badge, it will be in the interest of any and all addon creators to be able to display this badge - which means having an account with a "trusted" level.
After a while it can be made that to hold an account on this service you must pay - say - $200 per year. Alternatively, you can pay for your account by auditing other developers code for X amount of hours. So the site can have donations + membership money funding it.
EDIT: I should probably add that not every single addon for each developer needs to be audited. Once a developer establishes themselves as trusted it should be assumed all of their addons share the same qualities. Breaking the trust results in a lifetime ban and their name on a shame list.
Just a thought.
