|
Hello
Via Twitter, I’ve become aware that there’s an upcoming vote on "draft-foudil-securitytxt-08.txt (A Method for Web Security Policies) to Informational RFC”, https://tools.ietf.org/html/draft-foudil-securitytxt-08.
I’d like to add a note in favour of ratification from a BBC perspective. We adopted the security.txt standard (https://www.bbc.co.uk/.well-known/security.txt, https://www.bbc.com/.well-known/security.txt)
in August 2018 and have seen some very significant benefit from it, as evidenced in our public acknowledgements page: https://www.bbc..com/backstage/security-disclosure-policy/acknowledgements.
All but the very first vulnerability on that page was reported via security.txt and for every acknowledged vulnerability, there are around 5 more which are duplicates or which, on inspection, don’t meet our scope requirements.
Some side benefits of deploying security.txt have been a raising of the profile of online security within the BBC and really fantastic engagement from the web security community, this has led to cooperation with several other organisations and individuals.
We would very much like to see security.txt ratified as a standard in order to promote the usual benefits, including consistency of usage, improved interoperability and adoption by mainstream applications and services.
As a potential third-party endorsement, I noticed recently that Shodan..io has now integrated security.txt detection and listing, see https://www.shodan.io/host/212.58.249.210 as an example.
I hope that’s useful. I’m very happy to provide any further information you might need, please just let me know if that’s the case.
Many thanks
Neil Craig
Lead Technical Architect
BBC Online Technology Group
London W12 | BC4 A3
|
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
