Closed commjoen closed 3 years ago
Hi
It's such a vast and conflicting subject, and I personally don't feel the ASVS needs to have it specifically listed. I love what this is doing https://www.thegfce.com/initiatives/r/responsible-disclosure-initiative-ethical-hacking/manifesto and would rather reference that.
Please include https://securitytxt.org/
Full details - https://tools.ietf.org/html/draft-foudil-securitytxt-07
Thanks! We will pick this up in our issue https://github.com/OWASP/owasp-masvs/issues/283 :).
Sorry @commjoen, I agree with @danielcuthbert that I don't think an ASVS requirement for responsible disclosure is necessarily the right answer.
I do however agree with @davidclarke-au about a securitytxt requirement. @davidclarke-au would you be able to create a PR with something?
Happy to @tghosth , what section do you think it should sit under?
V8.1 General Data Protection ??
So my gut is that section 1 architecture is the best place
@davidclarke-au do you want to open a PR?
@davidclarke-au do you want to open a PR?
Will do, 1.1.8
seems the logical choice, so I'll aim for that.
This is a new requirement so is a 4.1 merge
This got merged into master
Should we have markdown in requirement text? (Related issues #809, #810)
Need to consider, that those requirements are not present only in markdown / github and current solution is displayed:
Verify availability of a publicly available [security.txt](https://securitytxt.org/) file at the root or .well-known directory of the application that clearly defines a link or e-mail address for people to contact owners about security issues.
Proposal:
security.txt
)https://securitytxt.org/
) move to references partI strongly disagree with putting any markdown in requirements. A URL in the text is better, but markdown based links really harm the standard. And in general if a requirement needs a URL - it's likely not self explanatory. Can we please move ALL links to the bottom of the section in question so requirements are plaintext?
reopen per @elarlang
Fixed this with that commit
Dear ASVS heroes, as we are updating our project (MASVS) https://github.com/OWASP/owasp-masvs/issues/189, given existing documentation in OWASP that is no longer maintained, we stumbled upon the requirements regarding responsible disclosure. Now as I am sure that we should not focus on RD in the MASVS, we were wondering: is the ASVS the place to have requirements about it? With kind regards, your mobile friends ^^.