Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider making security.txt use mandatory for CNAs/projects covered by CNAs #53

Open
kurtseifried opened this issue Oct 8, 2017 · 2 comments

Comments

@kurtseifried
Copy link

kurtseifried commented Oct 8, 2017

https://securitytxt.org/

TL;DR: security.txt for reporting security issues, like robots.txt for telling web robots how to behave.

Example file:

# Our security address
Contact: security@example.com
# Our PGP key
Encryption: https://example.com/pgp-key.txt

This would make it much easier for people to discover how to report things (99% of the time you can plug a product name in and get the web page no problem, then the problem becomes finding the contact details for reporting your security vulnerability).

Emailing board as well to start discussion.

@kurtseifried
Copy link
Author

Also obligatory note: I know CVE tries not to be prescriptive of how an organization runs security response (disclosure policies, embargoes, etc.) but this seems like a pretty simple change, and doesn't really impact the actual handling of flaws other than to make them easier to report.

@chandanbn
Copy link

See #20

This security.txt is a good idea. It seems to be still in a draft phase and not ready for general consumption. For example, it uses the term 'Full' disclosure in this draft is quite different in context than what 'full disclosure' means in general.

There is a growing need for vendors to share their contact details in a standard way to facilitate vulnerability related communication between researchers, upstream or downstream vendors. I would suggest to stay tuned for FIRST SIG work on this matter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants