Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security.txt #2026

Closed
wants to merge 2 commits into from
Closed

Add security.txt #2026

wants to merge 2 commits into from

Conversation

oehm-smith
Copy link

@oehm-smith oehm-smith commented Feb 14, 2018
edited
Loading

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [ x ] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • [ NA] My code follows the code style of this project. (No code changes made)
  • [ x ] My change requires a change to the documentation.
  • [ x ] I have updated the documentation accordingly.
  • [ x ] I have read the CONTRIBUTING document.
  • [ NA ] I have added tests to cover my changes.
  • [ NA ] All new and existing tests passed. (No code changes made)

coliff
coliff reviewed Feb 14, 2018
View reviewed changes
dist/doc/usage.md Outdated
@@ -121,6 +123,14 @@ technology powering it.

Edit this file to include any pages you need hidden from search engines.

### .well-known

RFC5785 [https://tools.ietf.org/html/rfc5785](https://tools.ietf.org/html/rfc5785) defines '.well-known' as a unique location for content discover. It contains one file - security.txt.

This comment was marked as abuse.

Sign in to view

@coliff
Copy link
Member

coliff commented Feb 14, 2018

Thanks for the PR - It's an interesting addition. I hadn't previously heard of this. it doesn't appear to be very well known (pun not intended) yet.

If this PR were to be merged, the additions to the /dist/ would also need to be made in the /src/ dir - otherwise they'll get rewritten when a new build is made. Also I think additional info is needed on that page to let users know that they need to edit the security.txt file before being used - the file there is just a starter template.

@roblarsen
Copy link
Member

I see a lot of 404s for this well-known location. I think this would be a good educational addition. I don't know if the file itself should be there or it should just be documented. But anything that solves a persistent 404 is good in my book.

@oehm-smith
security.txt updated
a939967 
* Added clarifying information and created identical copy in src/.
@oehm-smith
Copy link
Author

PR updated with feedback.

roblarsen
roblarsen requested changes Mar 1, 2018
View reviewed changes
.well-known/security.txt
@@ -0,0 +1,9 @@
# Our security address

This comment was marked as abuse.

Sign in to view

This comment was marked as abuse.

Sign in to view

@roblarsen roblarsen added this to the 6.1.0 milestone Mar 6, 2018
coliff
coliff reviewed Apr 8, 2018
View reviewed changes
dist/doc/usage.md

### security.txt

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. Security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.

This comment was marked as abuse.

Sign in to view

@roblarsen roblarsen modified the milestones: 6.1.0, 6.2 May 4, 2018
@coliff coliff self-assigned this Oct 4, 2018
@coliff
Copy link
Member

coliff commented Oct 9, 2018

Thanks again for this PR @oehm-smith - we've decided to give this a mention in the 'extend' docs with a link to https://securitytxt.org/ for more details.
Will be part of the #2074 PR

@coliff coliff closed this Oct 9, 2018
@oehm-smith
Copy link
Author

oehm-smith commented Oct 10, 2018 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coliff coliff coliff left review comments

@roblarsen roblarsen roblarsen requested changes

Assignees

@coliff coliff

Labels
new feature
Projects
None yet
Milestone
7.0
Development

Successfully merging this pull request may close these issues.
3 participants
@oehm-smith @coliff @roblarsen