Add security.txt

[sukima]

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely

• https://securitytxt.org/
• https://ankitvijay.net/2018/02/04/add-security-txt-to-your-web-app/

Static Site Example: https://tritarget.org/.well-known/security.txt

[treznick]

Is this strictly necessary for our site, which mostly delegates it's application code to frameworks and hosting providers?

…

On Fri, Apr 27, 2018 at 10:36 AM Devin Weaver ***@***.***> wrote: When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely - https://securitytxt.org/ - https://ankitvijay.net/2018/02/04/add-security-txt-to-your-web-app/ Static Site Example: https://tritarget.org/.well-known/security.txt — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#73>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAlwA7GKRAw7C4529RyzKul0ZWIbZD9Qks5tsyzcgaJpZM4TqfET> .

[treznick]

also is this something that we could do in site content? why do we need a machine readable standard?

[jnimety]

both good questions @treznick but seems low effort and non-impactful if someone wanted to make a PR

[jnimety]

it would be slightly redundant with package.json, maybe one could populate the other during build? please ignore, I was confusing the PR with the humans.txt PR

[treznick]

also true @jnimety :) Do we have a contact email for it

…

On Fri, Apr 27, 2018 at 3:27 PM Joel Nimety ***@***.***> wrote: both good questions @treznick <https://github.com/treznick> but seems low effort and non-impactful if someone wanted to make a PR — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#73 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAlwAxEoADJifa1IeJGGNAnBSkAqVCEcks5ts3EggaJpZM4TqfET> .

[sukima]

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

No organization wants to be caught on a wrong foot when it comes to security.
When a security researcher finds a potential breach or security vulnerability in an organization website/ application, he/she tries to contact the organization to “responsibly disclose” the issue. The disclosure is confidential in nature and allows the organization time to take appropriate action against the issue.

But, who does the security researcher reach out to? Usually, in scenarios like this, they would not prefer to reach out to the organization via a general “contact us” page on the website or emailing/ calling a customer care of the organization. They would rather like to reach out to someone in the organization who can take immediate action, someone with authority.

Why a specific format? Because it is a standard. A researcher will look for the standard text file not attempt to read all the prose on a site to guess who to contact.

Impact analysis

One text file added to the repo. Done and dusted.

[jnimety]

We just need an email address or group.

…

On Fri, Apr 27, 2018 at 3:54 PM Devin Weaver ***@***.***> wrote: The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues. No organization wants to be caught on a wrong foot when it comes to security. When a security researcher finds a potential breach or security vulnerability in an organization website/ application, he/she tries to contact the organization to “responsibly disclose” the issue. The disclosure is confidential in nature and allows the organization time to take appropriate action against the issue. But, who does the security researcher reach out to? Usually, in scenarios like this, they would not prefer to reach out to the organization via a general “contact us” page on the website or emailing/ calling a customer care of the organization. They would rather like to reach out to someone in the organization who can take immediate action, someone with authority. Why a specific format? Because it is a standard. A researcher will look for the standard text file not attempt to read all the prose on a site to guess who to contact. Impact analysis One text file added to the repo. Done and dusted. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#73 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAETVDfBPX9g4EOGVD8M2BBEgn-QjTeeks5ts4WfgaJpZM4TqfET> .

[ZachBeta]

[email protected] ?
forwards to one of us or some kind of email list?

[treznick]

sounds like a good plan. @jnimety let's touch base about how to do the email address

…

On Fri, Apr 27, 2018 at 4:59 PM, Zach Morek ***@***.***> wrote: ***@***.*** ? forwards to one of us or some kind of email list? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#73 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAlwA1FrOao1xtMWGUfPdOcc17emYxARks5ts4asgaJpZM4TqfET> .

[jnimety]

we can create [email protected] as a group in our gmail account. I'll do that tomorrow or Monday, in the meantime @sukima you can assume that will be the email address.