Using security.txt to indicate TEA service availability

CycloneDX / transparency-exchange-api

A standard API specification for exchanging supply chain artifacts and intelligence

https://tc54.org/

Apache License 2.0

59 stars 9 forks source link

Using security.txt to indicate TEA service availability #67

Open oej opened 1 week ago

oej commented 1 week ago

As an alternative, we could register a security.txt field.

The list of security.txt fields is also a registry maintained by IANA.

Originally posted by @ppkarwasz in #30

oej commented 4 days ago

Security.txt is a good way to be able to find the API without having to have a product ID. It's different than the "ordinary" TEA discovery based on the TEI.

oej commented 4 days ago

From the RFC: "Designated experts should determine whether a proposed registration or update provides value to organizations and researchers using this format and makes sense in the context of industry-accepted vulnerability disclosure processes such as [ISO.29147.2018] and [CERT.CVD]."