search

newhavenio / newhavenio.github.io

active version of the website for newhaven.io built on the Jekyll framework
http://newhavenio.github.io/
MIT License
13 stars 12 forks source link

Add security.txt #73

Open sukima opened 6 years ago

sukima commented 6 years ago

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely

Static Site Example: https://tritarget.org/.well-known/security.txt

treznick commented 6 years ago

Is this strictly necessary for our site, which mostly delegates it's application code to frameworks and hosting providers?

On Fri, Apr 27, 2018 at 10:36 AM Devin Weaver notifications@github.com wrote:

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely

Static Site Example: https://tritarget.org/.well-known/security.txt

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/newhavenio/newhavenio.github.io/issues/73, or mute the thread https://github.com/notifications/unsubscribe-auth/AAlwA7GKRAw7C4529RyzKul0ZWIbZD9Qks5tsyzcgaJpZM4TqfET .

treznick commented 6 years ago

also is this something that we could do in site content? why do we need a machine readable standard?

jnimety commented 6 years ago

both good questions @treznick but seems low effort and non-impactful if someone wanted to make a PR

jnimety commented 6 years ago

~it would be slightly redundant with package.json, maybe one could populate the other during build?~ please ignore, I was confusing the PR with the humans.txt PR

treznick commented 6 years ago

also true @jnimety :) Do we have a contact email for it

On Fri, Apr 27, 2018 at 3:27 PM Joel Nimety notifications@github.com wrote:

both good questions @treznick https://github.com/treznick but seems low effort and non-impactful if someone wanted to make a PR

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/newhavenio/newhavenio.github.io/issues/73#issuecomment-385070671, or mute the thread https://github.com/notifications/unsubscribe-auth/AAlwAxEoADJifa1IeJGGNAnBSkAqVCEcks5ts3EggaJpZM4TqfET .

sukima commented 6 years ago

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

No organization wants to be caught on a wrong foot when it comes to security. When a security researcher finds a potential breach or security vulnerability in an organization website/ application, he/she tries to contact the organization to “responsibly disclose” the issue. The disclosure is confidential in nature and allows the organization time to take appropriate action against the issue.

But, who does the security researcher reach out to? Usually, in scenarios like this, they would not prefer to reach out to the organization via a general “contact us” page on the website or emailing/ calling a customer care of the organization. They would rather like to reach out to someone in the organization who can take immediate action, someone with authority.

Why a specific format? Because it is a standard. A researcher will look for the standard text file not attempt to read all the prose on a site to guess who to contact.

Impact analysis

One text file added to the repo. Done and dusted.

jnimety commented 6 years ago

We just need an email address or group. On Fri, Apr 27, 2018 at 3:54 PM Devin Weaver notifications@github.com wrote:

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

No organization wants to be caught on a wrong foot when it comes to security. When a security researcher finds a potential breach or security vulnerability in an organization website/ application, he/she tries to contact the organization to “responsibly disclose” the issue. The disclosure is confidential in nature and allows the organization time to take appropriate action against the issue.

But, who does the security researcher reach out to? Usually, in scenarios like this, they would not prefer to reach out to the organization via a general “contact us” page on the website or emailing/ calling a customer care of the organization. They would rather like to reach out to someone in the organization who can take immediate action, someone with authority.

Why a specific format? Because it is a standard. A researcher will look for the standard text file not attempt to read all the prose on a site to guess who to contact. Impact analysis

One text file added to the repo. Done and dusted.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/newhavenio/newhavenio.github.io/issues/73#issuecomment-385091515, or mute the thread https://github.com/notifications/unsubscribe-auth/AAETVDfBPX9g4EOGVD8M2BBEgn-QjTeeks5ts4WfgaJpZM4TqfET .

ZachBeta commented 6 years ago

admin@newhaven.io ? forwards to one of us or some kind of email list?

treznick commented 6 years ago

sounds like a good plan. @jnimety let's touch base about how to do the email address

On Fri, Apr 27, 2018 at 4:59 PM, Zach Morek notifications@github.com wrote:

admin@newhaven.io ? forwards to one of us or some kind of email list?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/newhavenio/newhavenio.github.io/issues/73#issuecomment-385092653, or mute the thread https://github.com/notifications/unsubscribe-auth/AAlwA1FrOao1xtMWGUfPdOcc17emYxARks5ts4asgaJpZM4TqfET .

jnimety commented 6 years ago

we can create security@newhaven.io as a group in our gmail account. I'll do that tomorrow or Monday, in the meantime @sukima you can assume that will be the email address.