Add Disclosure info and security.txt support to aid in Security Vulnerability Disclosure

jeroenhabets commented 1 year ago

Pitch

When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported.

So I kindly ask to please add support for a security.txt (see RFC 9116 and https://securitytxt.org/). I'd imagine a new Disclosure page or section to /terms that the security.txt could point to. With a request to DM an administrator, or even better some new admin fields to drive this policy.

Motivation

Better Security Vulnerability response
Higher internet.nl score (where I learnt about it: https://en.internet.nl/article/securitytxt-test-toegevoegd/)
Improved Compliance

ineffyble commented 1 year ago

There's two different types of disclosure to be considered here - disclosure of bugs/vulnerabilities in the Mastodon software (which need to be disclosed to the project), and disclosure of bugs/vulnerabilities present in a particular instance due to misconfiguration or similar.

jimcheetham commented 1 year ago

Peertube addresses that difference by including two Contact lines - one pointing to the project's documentation for reporting, and the other with the email of the server admin.

mastodon / mastodon

Add Disclosure info and security.txt support to aid in Security Vulnerability Disclosure #19555

Pitch

Motivation