Last call changes #183
Merged
Last call changes #183
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
EdOverflow
reviewed
Jan 1, 2020
draft-foudil-securitytxt.md
Outdated
| ("security.txt") to help organizations describe the process for security | ||
| researchers to follow in order to report security vulnerabilities. | ||
| ("security.txt") to help organizations describe their vulnerability disclosure practices | ||
| in order to make it easier for researchers to report security vulnerabilities. |
There was a problem hiding this comment.
Suggested change
| in order to make it easier for researchers to report security vulnerabilities. | |
| to make it easier for researchers to report security vulnerabilities. |
draft-foudil-securitytxt.md
Outdated
| for organizations to communicate information about their security disclosure | ||
| policies, which is not limited to email and also allows for additional features | ||
| practices and ways to contact them, which is not limited to email and also allows for additional features |
There was a problem hiding this comment.
Rewording this - being that we already mentioned this is intended for researchers to be consumed, I took that out and only left the part about the organizations.
draft-foudil-securitytxt.md
Outdated
| such as encryption. This format is designed to help | ||
| assist with the security disclosure process by making it easier | ||
| for organizations to designate the preferred steps for researchers to take | ||
| when trying to reach out to them with security vulnerabilities. | ||
| when trying to reach out to them with security vulnerabilities as well as provide | ||
| additional information about their vulnerability disclosure practices useful to security researchers. |
There was a problem hiding this comment.
This sentence is too wordy. Needs rephrasing.
draft-foudil-securitytxt.md
Outdated
| that provides information for security researchers to assist | ||
| in disclosing security vulnerabilities. | ||
| that provides information for security researchers about the vulnerability disclosure | ||
| practices of a particular organization in order to assist them in disclosing security vulnerabilities. |
There was a problem hiding this comment.
Suggested change
| practices of a particular organization in order to assist them in disclosing security vulnerabilities. | |
| practices of a particular organization to assist them in disclosing security vulnerabilities. |
| This field MUST NOT appear more than once. | ||
|
|
||
| ~~~~~~~~~~ | ||
| Expires: Thu, 31 Dec 2020 18:37:07 -0800 |
There was a problem hiding this comment.
Is the date arbitrary? Is it the implementer's sole discretion to set a realistic expiration date? How does one determine what a suitable expiration date is?
There was a problem hiding this comment.
I added a reference to the staleness section from the security considerations section
| If this directive indicates a web URL, then it MUST begin with "https://" | ||
| This field indicates a link to where the vulnerability disclosure policy is located. | ||
| This can help security researchers understand | ||
| the organization's vulnerability reporting practices. |
There was a problem hiding this comment.
Suggested change
| the organization's vulnerability reporting practices. | |
| the organization's vulnerability-reporting practices. |
There was a problem hiding this comment.
same question about the dash as above
draft-foudil-securitytxt.md
Outdated
| redirect if it leads to another domain or subdomain | ||
| but SHOULD follow that redirect within the same domain name | ||
| (but not different subdomain on the same domain). | ||
| or redirect (as per section 6.4 of {{!RFC7231}}) to the security.txt file under the /.well-known/ path. If a "security.txt" file |
There was a problem hiding this comment.
Suggested change
| or redirect (as per section 6.4 of {{!RFC7231}}) to the security.txt file under the /.well-known/ path. If a "security.txt" file | |
| or redirect (as per section 6.4 of {{!RFC7231}}) to the security.txt file under the "/.well-known/" path. If a "security.txt" file |
draft-foudil-securitytxt.md
Outdated
| a "security.txt" file grants or denies permission for security testing. | ||
| Any such permission MAY be defined in a security or disclosure policy | ||
| (as per {{policy}}) or a new directive (as per {{extensibility}}). | ||
| Any such permission may be indicates in the company's vulnerability disclosure policy |
There was a problem hiding this comment.
Suggested change
| Any such permission may be indicates in the company's vulnerability disclosure policy | |
| Any such permission may be indicated in the company's vulnerability-disclosure policy |
draft-foudil-securitytxt.md
Outdated
| HTTPS is being used. | ||
|
|
||
| However, the determination of validity of such keys is out of scope | ||
| for this specification. Implementors MUST establish other secure means to | ||
| for this specification. Researches need to establish other secure means to |
There was a problem hiding this comment.
Suggested change
| for this specification. Researches need to establish other secure means to | |
| for this specification. Security researches need to establish other secure means to |
There was a problem hiding this comment.
Actually, there is a typo there. It should be:
Suggested change
| for this specification. Researches need to establish other secure means to | |
| for this specification. Security researchers need to establish other secure means to |
| automated scans. | ||
| Security researchers should consult the organization's vulnerability disclosure policy, if available, | ||
| and review the contact information and/or resources referenced within the "security.txt" | ||
| file before submitting reports in an automated fashion or as resulting from automated scans. |
joker314
requested changes
Jan 2, 2020
draft-foudil-securitytxt.md
Outdated
|
|
||
| This text file contains multiple directives | ||
| with different values. The "directive" is the first part of a field all the way up | ||
| This text file contains multiple fields with different values. A field contains a name which is the first part of a field all the way up |
There was a problem hiding this comment.
For consistency with how the field "value" is introduced
Suggested change
| This text file contains multiple fields with different values. A field contains a name which is the first part of a field all the way up | |
| This text file contains multiple fields with different values. A field contains a "name" which is the first part of a field all the way up |
|
|
||
| line = (field / comment) eol | ||
|
|
||
| eol = *WSP [CR] LF | ||
|
|
||
| field = ack-field / | ||
| can-field / |
There was a problem hiding this comment.
I'm not sure about moving Canonical to here, because it can appear a maximum of one time (similar to Expires)
There was a problem hiding this comment.
As per IETF feedback, this was changed so Canonical can appear multiple times. This was done to address the use case where multiple redirects point to the same file.
draft-foudil-securitytxt.md
Outdated
| of the file (as per {{canonical}}), and regularly monitor the file and | ||
| the referenced resources to detect tampering. | ||
|
|
||
| Security researchers SHOULD check the "security.txt" file including verifying | ||
| Security researchers should triage the "security.txt" file including verifying | ||
| the digital signature and checking any available historical records before using the information | ||
| contained in the file. If "security.txt" file looks suspicious or compromised, |
There was a problem hiding this comment.
(Not introduced by this PR, but probably good to fix this typo). One of--
Suggested change
| contained in the file. If "security.txt" file looks suspicious or compromised, | |
| contained in the file. If a "security.txt" file looks suspicious or compromised, |
Suggested change
| contained in the file. If "security.txt" file looks suspicious or compromised, | |
| contained in the file. If the "security.txt" file looks suspicious or compromised, |
This was referenced Jan 2, 2020
EdOverflow
reviewed
Jan 13, 2020
draft-foudil-securitytxt.md
Outdated
| When made available on HTTP servers, it MUST be placed under the | ||
| /.well-known/ path (as "/.well-known/security.txt") {{!RFC8615}} of a domain name or IP address. | ||
| For legacy compatibility, a security.txt file might be placed at the top level path (see {{weblocation}}). | ||
| For file systems a "security.txt" file SHOULD be placed in the root directory of a particular file system. |
There was a problem hiding this comment.
Suggested change
| For file systems a "security.txt" file SHOULD be placed in the root directory of a particular file system. | |
| For file systems a "security.txt" file SHOULD be placed in the root directory of the file system. |
I do not think "particular" is needed here.
draft-foudil-securitytxt.md
Outdated
| For legacy compatibility, a security.txt file might be placed at the top level path (see {{weblocation}}). | ||
| For file systems a "security.txt" file SHOULD be placed in the root directory of a particular file system. | ||
|
|
||
| On HTTP servers, the file MUST be accessed via the Hypertext Transfer Protocol (HTTP) 1.0 {{!RFC1945}} or higher version |
There was a problem hiding this comment.
Suggested change
| On HTTP servers, the file MUST be accessed via the Hypertext Transfer Protocol (HTTP) 1.0 {{!RFC1945}} or higher version | |
| On HTTP servers, the file MUST be accessed via the Hypertext Transfer Protocol (HTTP) 1.0 {{!RFC1945}} or a higher version |
draft-foudil-securitytxt.md
Outdated
| For file systems a "security.txt" file SHOULD be placed in the root directory of a particular file system. | ||
|
|
||
| On HTTP servers, the file MUST be accessed via the Hypertext Transfer Protocol (HTTP) 1.0 {{!RFC1945}} or higher version | ||
| and the "https" scheme (as per section 2.7.2 of {{!RFC7230}}). It MUST have a Content-Type of "text/plain" |
There was a problem hiding this comment.
On HTTP servers, the file MUST be accessed via the Hypertext Transfer Protocol 1.0 or a higher version and the "https" scheme.
This sentence is quite difficult to follow. Especially with all the inline references. Might need rephrasing.
draft-foudil-securitytxt.md
Outdated
| or repository in which it is located, and not to any of its parent or sibling folders, | ||
| or repositories. However, it will apply to all subfolders. | ||
| in which it is located, and not to any of its parent or sibling folders. | ||
| However, it will apply to all subfolders. |
There was a problem hiding this comment.
I would reword this as follows:
A "security.txt" file that is found in a file system MUST only apply to the folder in which it is located and that folder's subfolders. The file does not apply to any of the folder's parent or sibling folders.
EdOverflow
approved these changes
Jan 21, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
lines at the end of the file #174)