Add a `security.txt`

[sftim]

This is a Feature Request

What would you like to be added Add a https://k8s.io/.well-known/security.txt page, based on RFC 9116

Why is this needed

Many security researchers encounter situations where they are unable to report security vulnerabilities to organizations because there are no reporting channels to contact the owner of a particular resource, and no information is available about the vulnerability disclosure practices of such owner.

We can provide a machine-parseable way for people to find out how to disclose security vulnerabilities, as well as what not to disclose. (eg: it's possible to socially engineer a contributor into liking a ~tweet~ X post by an imposter)

Comments Ideally (?), we'd also sign the file using PGP

Original suggestion

/sig security

[whitebeard10]

/assign

[raesene]

/triage accepted

[sftim]

/priority important-longterm

[ashish493]

@whitebeard10 If you have started working on it, let me know if any help is required. Even I am interested in contributing to it.

[ashish493]

@sftim do we also need to write a KEP for this issue, since you have mentioned that in the previous slack discussion?

[whitebeard10]

i am still working on it, will let you know for any help for sure @ashish493

[sftim]

do we also need to write a KEP for this issue, since you have mentioned that in the previous slack discussion?

The best group of people to ask about this are Kubernetes SIG Security.

[coder12git]

/assign

[coder12git]

Have a look on this PR -> https://github.com/kubernetes/website/pull/44487