A File Format to Aid in Security Vulnerability Disclosure
Draft of message to be sent after approval:
From: The IESG <email@example.com> To: IETF-Announce <firstname.lastname@example.org> Cc: The IESG <email@example.com>, Kathleen.Moriarty.firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: Document Action: 'A Method for Web Security Policies' to Informational RFC (draft-foudil-securitytxt-08.txt) The IESG has approved the following document: - 'A Method for Web Security Policies' (draft-foudil-securitytxt-08.txt) as Informational RFC This document has been reviewed in the IETF but is not the product of an IETF Working Group. The IESG contact person is Benjamin Kaduk. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-foudil-securitytxt/
Technical Summary This document defines a file format ("security.txt") to help organizations publish their contact information and procedures for disclosure of security vulnerabilities. This is expected to improve the ability of security researchers to be able to provide their results in an actionable form. Note that vulnerability disclosure is distinct from incident response, and this mechanism is not necessarily well suited for use in incident response, but there are other mechanisms defined for coordinating incident response. Working Group Summary This document is AD-sponsored, so there is no specific WG for it. However, discussion did occur on the SAAG list as well as during IETF Last Call. The document was rather contentious, with the most debated point being the risk that use of security.txt to report compromise is highly flawed, since an attacker that has compromised the hosting system could change its contents. There was also discussion of whether the format should be more readily machine parsable; the current structure targets only human consumption, since human judgment will be needed for many of the steps in actually using the information it contains. Other topics from the last-call review are mentioned in the summary message of the last-call comments, available at https://mailarchive.ietf.org/arch/msg/saag/bmsyx9JKnuugpHvajw9svD0B0ks/ The document was updated to address these concerns, including emphasizing the intended use for vulnerability disclosure (not incident response), and the need for human judgment in processing the contents. Document Quality The security.txt file is already in use by many organizations and referenced from external documents. An informal survey of HTTP sites providing security.txt information, as summarized at https://github.com/securitytxt/security-txt/issues/191 finds that many are well formed, though some minor syntactic errors are present in others. Personnel The Document Shepherd is Kathleen Moriarty. The responsible AD is Benjamin Kaduk.