I searched the HA forums and the mailing list archives on xiph.org, but didn't find any threads about Coverity and FLAC.
The U.S. Department of Homeland Security pays Coverity to find defects in open source projects. I've understood that their contract lasts until the start of 2009.
Coverity selects projects and scans their source files with static analysis tools. These projects appear on "Rung 0" on their site. Coverity does not disclose their findings but waits for the developers to contact them. If that happens, the projects move on to Rung 1. The experience to achieve the next level is gained by grinding bugs. The reward might be more computationally intensive checks.
There seems to be no catch as the Linux kernel, Gnome, KDE and Python are using the services, just to mention a few. Many, if not all, of the Xiph projects have been scanned, FLAC included. libvorbis is on Rung 1, while FLAC's still on Rung 0.
I think this might be an excellent way to improve the terrific quality of FLAC, but if I understood correctly, Josh or someone authorized by him has to contact Coverity. I'm not familiar with the FLAC code base. I've just been an impressed user for years.
Thank you, Josh.