Add security.txt

[lukefretwell]

Source

The source of the issue (ex: Customer: #CustomerName#).

LF

Feedback

A member of a state digital service team shared info about the security.txt practice we should consider.

Note: Note sure we can insert the canonical dynamically, but would be awesome of we could.

File contents:

Contact: https://proudcity.com/report-vulnerability
Canonical: https://www.URL/.well-known/security.txt
Expires: 2030-01-01T20:00:00.000Z
Preferred-Languages: en

Reference:

• Location: https://proudcity.com/security.txt or https://proudcity.com/.well-known/security.txt (if the latter, would be good to redirect top-level security.txt to .well-known
• Tool: https://securitytxt.org/
• Standard: https://www.rfc-editor.org/rfc/rfc9116
• Source: https://www.cisa.gov/news-events/news/securitytxt-simple-file-big-value
• Example (redirects): https://www.cisa.gov/sites/default/files/security.txt

QA

Notes:

Links:

*

[lukefretwell]

@curtismchale @kevindherman reading over Krebs' post on this, there's a good chance this may be deluged with emails, so suggest we accept that for security or create a new security-txt@ group.

https://krebsonsecurity.com/2021/09/does-your-organization-have-a-security-txt-file/

[lukefretwell]

Created a page instead: https://proudcity.com/report-vulnerability

[curtismchale]

Deployed with #2619