Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a link to the human and machine readable security advisories #209

Open
santosomar opened this issue Apr 20, 2021 · 7 comments
Open

Add a link to the human and machine readable security advisories #209

santosomar opened this issue Apr 20, 2021 · 7 comments
Labels
future work

Comments

@santosomar
Copy link

This may go hand-in-hand with #200 . The request is to add a link to the machine readable and human readable advisories of a company. For example:

# Our Security Advisories
Advisories: https://tools.cisco.com/security/center/publicationListing.x

# Our Machine-readable CSAF/CVRF advisories
CSAF/CVRF Repository: https://tools.cisco.com/security/center/cvrfListing.x

Some vendors also have an API (such as https://developer.cisco.com/psirt/), but unfortunately, only just a very few do.
@cqueern
Copy link

cqueern commented Apr 20, 2021

In case it's of interest, there is an emerging discussion at the following link on how to communicate advisories in a format called VEX:

https://www.ntia.doc.gov/files/ntia/publications/draft_requirements_for_sharing_of_vulnerability_status_information_-_vex.pdf

This document is meant to give guidance on what interfaces and information elements
are necessary as part of the technical solution to describing the state of potential vulnerabilities
in a product.

Perhaps in some iteration of the security.txt standard, it might suggest that such advisories when linked in a security.txt file SHOULD comply with the VEX format.

@santosomar
Copy link
Author

santosomar commented Apr 20, 2021
edited
Loading

Makes sense. FYI: The VEX community, NTIA and CSAF TC are working together. VEX is supported in CSAF. CSAF is one of the first standards supporting VEX. Some examples here.

@nightwatchcyber
Copy link
Contributor

Being that the draft is in final review by the IETF / IESG, and this can be done via a new registry field, going to recommend delaying this until the registry is up and running

@santosomar
Copy link
Author

Absolutely! Thank you so much for the consideration.

@santosomar
Copy link
Author

santosomar commented Jun 4, 2021
edited
Loading

To follow up on this... This is a good suggestion by @tschmidtb51
Just the use of the keyword "CSAF" instead of CSAF/CVRF Repository.

# Human-readable Security Advisories
Advisories: https://example.com/security/advisories

# Machine-readable CSAF documents
CSAF: https://example.com/security/csaf-service.json

Reasoning: All other keywords are one word. CVRF didn't have a specification where and how to find those documents, CSAF does.

@nightwatchcyber
Copy link
Contributor

CSAF field has been added to the registry

@santosomar
Copy link
Author

Excellent! Thank you so much for your support!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
future work
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cqueern @santosomar @nightwatchcyber