Hi Nicolas, [ dropped security@, it's not too much spammed yet, I prefer to limit exposure ]
On Sun, Aug 04, 2024 at 08:20:33PM +0200, Nicolas CARPi wrote: > Hello list, > > This PR made me think about the new security.txt standard - or at least > proposed standard: https://securitytxt.org/ > > Basically, you serve a text file at .well-known/security.txt, and this > should be the first place to look for a contact to send security reports > to the dev team by security researchers. > > It is also where entities such as ANSSI will try and contact you, as > explained on this page: https://www.cert.ssi.gouv.fr/signalements/. I've > seen their bot in my logs trying to fetch this URL, which prompted me to > add it to my websites. > > This message is for the maintainers of haproxy.org, but for anyone > reading and interested in adding it, this is what I use: > > acl securitytxt-acl path_beg /.well-known/security.txt > http-request return status 200 content-type text/plain string "Contact: > mailto:y...@company.com\n[RestOfTheFile]\n"; if securitytxt-acl That's indeed a simple way of implementing it, thanks for sharing. I'm not much convinced myself by this approach however. Nobody knows about it, and only a handful of sites are using it. I personally think that there's nothing special in the "security" aspect that warrants such a name, and that having instead a contact list for various purposes, including security would be more beneficial. Sometimes you'd just like to contact the webmaster to signal a bug, or you might want to report a security issue in a product, which is independent from the site, etc. Thanks, Willy
