search

OWASP / ASVS

Application Security Verification Standard
Creative Commons Attribution Share Alike 4.0 International
2.6k stars 636 forks source link

Responsible disclosure / Security.txt #664

Closed commjoen closed 3 years ago

commjoen commented 4 years ago

Dear ASVS heroes, as we are updating our project (MASVS) https://github.com/OWASP/owasp-masvs/issues/189, given existing documentation in OWASP that is no longer maintained, we stumbled upon the requirements regarding responsible disclosure. Now as I am sure that we should not focus on RD in the MASVS, we were wondering: is the ASVS the place to have requirements about it? With kind regards, your mobile friends ^^.

danielcuthbert commented 4 years ago

Hi

It's such a vast and conflicting subject, and I personally don't feel the ASVS needs to have it specifically listed. I love what this is doing https://www.thegfce.com/initiatives/r/responsible-disclosure-initiative-ethical-hacking/manifesto and would rather reference that.

davidclarke-au commented 4 years ago

Please include https://securitytxt.org/

Full details - https://tools.ietf.org/html/draft-foudil-securitytxt-07

commjoen commented 4 years ago

Thanks! We will pick this up in our issue https://github.com/OWASP/owasp-masvs/issues/283 :).

tghosth commented 4 years ago

Sorry @commjoen, I agree with @danielcuthbert that I don't think an ASVS requirement for responsible disclosure is necessarily the right answer.

I do however agree with @davidclarke-au about a securitytxt requirement. @davidclarke-au would you be able to create a PR with something?

davidclarke-au commented 4 years ago

Happy to @tghosth , what section do you think it should sit under?

V8.1 General Data Protection ??

tghosth commented 4 years ago

So my gut is that section 1 architecture is the best place

tghosth commented 4 years ago

@davidclarke-au do you want to open a PR?

davidclarke-au commented 4 years ago

@davidclarke-au do you want to open a PR?

Will do, 1.1.8 seems the logical choice, so I'll aim for that.

vanderaj commented 4 years ago

This is a new requirement so is a 4.1 merge

tghosth commented 3 years ago

This got merged into master

elarlang commented 3 years ago

Should we have markdown in requirement text? (Related issues #809, #810)

Need to consider, that those requirements are not present only in markdown / github and current solution is displayed:

Verify availability of a publicly available [security.txt](https://securitytxt.org/) file at the root or .well-known directory of the application that clearly defines a link or e-mail address for people to contact owners about security issues.

Proposal:

jmanico commented 3 years ago

I strongly disagree with putting any markdown in requirements. A URL in the text is better, but markdown based links really harm the standard. And in general if a requirement needs a URL - it's likely not self explanatory. Can we please move ALL links to the bottom of the section in question so requirements are plaintext?

jmanico commented 3 years ago

reopen per @elarlang

tghosth commented 3 years ago

Fixed this with that commit