1. Main
  2. Messages

Re: [specification] Interesting new movement to include "security.txt" files in projects

Mike Linksvayer
 

Yes securitytext.org is for web sites/services, for example https://github.com/.well-known/security.txt

SECURITY.* in a code repository typically alongside LICENSE -- though GitHub also looks in a couple other locations https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository -- I'm not aware of any commonplace or standard texts or structure but I may be ignorant. Anyway a few examples are https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md https://github.com/microsoft/repo-templates/blob/main/shared/SECURITY.md https://github.com/github/.github/blob/main/SECURITY.md

Yes both .well-known in the website context and well known files in the codebase context arguably run risk of overpopulation, but it seems like making it easy to find out how to report security issues is quite important.

Mike

On Tue, Mar 21, 2023 at 4:18 AM Steve Kilbane <stephen.kilbane@...> wrote:

Is this JUST for web services? The location section focuses on a fixed URL rather than, say, a location within a source repo. But then, I've barely skimmed the document.

 

From: specification@... <specification@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Tuesday, 21 March 2023 at 09:02
To: OpenChain Main <main@...>, OpenChain Specification <specification@...>
Subject: [specification] Interesting new movement to include "security.txt" files in projects

[External]

Jeff flagged this on our monthly call (2023-03-21)
https://urldefense.com/v3/__https://securitytxt.org/__;!!A3Ni8CS0y2Y!4oNmnVaJi1ThUDrgRh9uv_JNA453-F3t53lxrZas_EttVsn4Meu5Sekc11vsYinHcOzc-V7xZlKX5iXMiun22KfB2WF-Mz4$

It is like LICENSE files but for security.

What do you think? Have you heard about this? Useful in your workflow?
Join main@lists.openchainproject.org to automatically receive all group messages.