Add a link to the human and machine readable security advisories

securitytxt / security-txt

A proposed standard that allows websites to define security policies.

https://securitytxt.org

Other

1.8k stars 70 forks source link

Add a link to the human and machine readable security advisories #209

Open santosomar opened 3 years ago

santosomar commented 3 years ago

This may go hand-in-hand with #200 . The request is to add a link to the machine readable and human readable advisories of a company. For example:

# Our Security Advisories
Advisories: https://tools.cisco.com/security/center/publicationListing.x

# Our Machine-readable CSAF/CVRF advisories
CSAF/CVRF Repository: https://tools.cisco.com/security/center/cvrfListing.x

Some vendors also have an API (such as https://developer.cisco.com/psirt/), but unfortunately, only just a very few do.

cqueern commented 3 years ago

In case it's of interest, there is an emerging discussion at the following link on how to communicate advisories in a format called VEX:

https://www.ntia.doc.gov/files/ntia/publications/draft_requirements_for_sharing_of_vulnerability_status_information_-_vex.pdf

This document is meant to give guidance on what interfaces and information elements are necessary as part of the technical solution to describing the state of potential vulnerabilities in a product.

Perhaps in some iteration of the security.txt standard, it might suggest that such advisories when linked in a security.txt file SHOULD comply with the VEX format.

santosomar commented 3 years ago

Makes sense. FYI: The VEX community, NTIA and CSAF TC are working together. VEX is supported in CSAF. CSAF is one of the first standards supporting VEX. Some examples here.

nightwatchcyber commented 3 years ago

Being that the draft is in final review by the IETF / IESG, and this can be done via a new registry field, going to recommend delaying this until the registry is up and running

santosomar commented 3 years ago

Absolutely! Thank you so much for the consideration.

santosomar commented 3 years ago

To follow up on this... This is a good suggestion by @tschmidtb51 Just the use of the keyword "CSAF" instead of CSAF/CVRF Repository.

# Human-readable Security Advisories
Advisories: https://example.com/security/advisories

# Machine-readable CSAF documents
CSAF: https://example.com/security/csaf-service.json

Reasoning: All other keywords are one word. CVRF didn't have a specification where and how to find those documents, CSAF does.

nightwatchcyber commented 1 year ago

CSAF field has been added to the registry

santosomar commented 1 year ago

Excellent! Thank you so much for your support!