DEFRA security.txt

[brendanarnold]

security.txt is an emerging practice on deployed websites which lets security researchers know how to properly disclose security issues related to a website. More details at https://securitytxt.org

The MoJ is the current gold standard for this and has clear guidelines for sites on what to do - see https://ministryofjustice.github.io/security-guidance/contact/implement-security-txt

There is interest from other departments including DWP and MetOffice. It would be good to get some similar guidance for DEFRA projects.

More information...

• Example file: https://raw.githubusercontent.com/ministryofjustice/security-guidance/master/contact/vulnerability-disclosure-security.txt
• The MoJ department wide disclosure policy https://mojdigital.blog.gov.uk/vulnerability-disclosure-policy/
• @joelsamuel on the #security Slack channel wrote the disclosure policy for MoJ

[Cruikshanks]

I feel if nothing else going through the process of working out what would go into our security.txt file(s) has worth, even if we never end up with one.

I group this along with external contributions to a repo; we've so far never faced the situation of someone wanting to contribute or tell us an issue. But I also wouldn't want to be left scrabbling around and keeping someone waiting for weeks whilst we tried to figure it out what the actual process would be. Not only would it not be fair, but it also wouldn't look great for the organisation either.

That said, I do think there is value in having this. This is not just an idea replicated by others but is based on an actual draft standard to the Internet Engineering Task Force (IETF).

It's also endorsed by 2 folks I often refer to on security matters Troy Hunt and Scott Helme.

So it gets a 👍 from me!