[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

new CNA guidelines


TL;DR: security.txt for reporting security issues, like robots.txt for telling web robots how to behave.

Example file:

# Our Security Address

Contact: security@example.com

# Our PGP key

Encryption: https://example.com/pgp-key.txt

# Our disclosure policy

Disclosure: Full

This would make it much easier for people to discover how to report things (99% of the time you can plug a product name in and get the web page no problem, then the problem becomes finding the contact details for reporting your security vulnerability).

This is a very nice KISS solution, it requires minimal to no maintenance (most places do not change the web page for their PGP key to often, or the reporting email address, with the exception for corporate mergers/divestitures). 

My thought: make this a CNA strong usggestion, or ideally a requirement for the website(s) hosting products/product info for products covered by the CNA 

Kurt Seifried

Page Last Updated or Reviewed: October 09, 2017