A File Format to Aid in Security Vulnerability Disclosure

draft-foudil-securitytxt-10

Network Working Group E. Foudil Internet-Draft Intended status: Informational Y. Shafranovich Expires: 24 February 2021 Nightwatch Cybersecurity 23 August 2020 A File Format to Aid in Security Vulnerability Disclosure draft-foudil-securitytxt-10 Abstract When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 24 February 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. Foudil & Shafranovich Expires 24 February 2021 [Page 1] Internet-DrafA File Format to Aid in Security Vulnerability August 2020 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Motivation, Prior Work and Scope . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2. Note to Readers . . . . . . . . . . . . . . . . . . . . . . . 4 3. The Specification . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Scope of the File . . . . . . . . . . . . . . . . . . . . 5 3.2. Comments . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. Line Separator . . . . . . . . . . . . . . . . . . . . . 6 3.4. Digital signature . . . . . . . . . . . . . . . . . . . . 6 3.5. Field Definitions . . . . . . . . . . . . . . . . . . . . 7 3.5.1. Acknowledgments . . . . . . . . . . . . . . . . . . . 7 3.5.2. Canonical . . . . . . . . . . . . . . . . . . . . . . 7 3.5.3. Contact . . . . . . . . . . . . . . . . . . . . . . . 8 3.5.4. Encryption . . . . . . . . . . . . . . . . . . . . . 8 3.5.5. Expires . . . . . . . . . . . . . . . . . . . . . . . 9 3.5.6. Hiring . . . . . . . . . . . . . . . . . . . . . . . 9 3.5.7. Policy . . . . . . . . . . . . . . . . . . . . . . . 9 3.5.8. Preferred-Languages . . . . . . . . . . . . . . . . . 9 3.6. Example of an unsigned "security.txt" file . . . . . . . 10 3.7. Example of a signed "security.txt" file . . . . . . . . . 10 4. Location of the security.txt file . . . . . . . . . . . . . . 11 4.1. Web-based services . . . . . . . . . . . . . . . . . . . 11 4.2. Filesystems . . . . . . . . . . . . . . . . . . . . . . . 11 4.3. Extensibility . . . . . . . . . . . . . . . . . . . . . . 11 5. File Format Description and ABNF Grammar . . . . . . . . . . 12 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 6.1. Compromised Files and Incident Response . . . . . . . . . 13 6.2. Redirects . . . . . . . . . . . . . . . . . . . . . . . . 14 6.3. Incorrect or Stale Information . . . . . . . . . . . . . 14 6.4. Intentionally Malformed Files, Resources and Reports . . 14 6.5. No Implied Permission for Testing . . . . . . . . . . . . 15 6.6. Multi-user Environments . . . . . . . . . . . . . . . . . 15 6.7. Protecting Data in Transit . . . . . . . . . . . . . . . 15 6.8. Spam and Spurious Reports . . . . . . . . . . . . . . . . 16 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16