Hello list, This PR made me think about the new security.txt standard - or at least proposed standard: https://securitytxt.org/
Basically, you serve a text file at .well-known/security.txt, and this should be the first place to look for a contact to send security reports to the dev team by security researchers. It is also where entities such as ANSSI will try and contact you, as explained on this page: https://www.cert.ssi.gouv.fr/signalements/. I've seen their bot in my logs trying to fetch this URL, which prompted me to add it to my websites. This message is for the maintainers of haproxy.org, but for anyone reading and interested in adding it, this is what I use: acl securitytxt-acl path_beg /.well-known/security.txt http-request return status 200 content-type text/plain string "Contact: mailto:y...@company.com\n[RestOfTheFile]\n"; if securitytxt-acl Super simple to add and very unlikely to break anything because of the well-known "namespacing". I think this would be a suitable addition to haproxy.org because the Security or Contact portions of haproxy.org don't mention any secure way to report a vuln. I'm gonna add secur...@haproxy.org in copy of this email to see if it bounces ^^ Best, ~Nicolas On 03 Aug, PR Bot wrote: > Dear list! > > Author: Valen1393 <valiantal...@gmail.com> > Number of patches: 1 > > This is an automated relay of the Github pull request: > Create SECURITY.md > > Patch title(s): > Create SECURITY.md > > Link: > https://github.com/haproxy/haproxy/pull/2661 > > Edit locally: > wget https://github.com/haproxy/haproxy/pull/2661.patch && vi 2661.patch > > Apply locally: > curl https://github.com/haproxy/haproxy/pull/2661.patch | git am - > > Description: > Sabar > > Instructions: > This github pull request will be closed automatically; patch should be > reviewed on the haproxy mailing list (haproxy@formilux.org). Everyone is > invited to comment, even the patch's author. Please keep the author and > list CCed in replies. Please note that in absence of any response this > pull request will be lost. > > -- ~Nico
