Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Create a threat model for security.txt. #112
While we have had discussions in other tickets concerning potential attack vectors against security.txt files, I think it would be a good idea to create one document listing all sorts of things that could wrong with security.txt files. This would allow us to easily keep an overview of the the potential problems that we need to tackle and then eventually we can include it in the "Security Considerations" section of the Internet draft.
We need to come up with some ideas such as the ones listed in https://edoverflow.com/2018/logic-flaws-in-wot-services, and see how we can prevent them.
As with the Keybase issues, any parsers should be careful of someone redirecting from
Should security.txt files be allowed to redirect to external sites? Maybe we should tell parsers that they should make notes of any redirects and display them to the user?
EDIT: I'm confused how I unassigned someone by posting a message? Maybe GitHub changed the maximum number of assignees allowed and when I posted a comment, GitHub recalculated?