|
Hi Paul
We can’t be totally certain all the time but researchers have certainly mentioned how they found the contact details (and VDP) when they contact us in the past. The VDP (https://www.bbc.com/backstage/security-disclosure-policy/)
and security.txt are a pairing, each references the other and we included contact details in the VDP so that researchers don’t
have to go to security.txt if they didn’t find our VDP that way – we don’t really care how they find it, we just want their reports. As for DNS, that’s not something I know about, we’re a big org so someone might have
been proactive but again, we just advertise the address where we can for ease of use. https://medium.com/@dr.spitfire/a-fight-for-duplicate-marked-bug-story-of-bbc-hall-of-fame-16f9c8215315 is
not our content.
Having a standardised method of discovery is definitely helpful from both a time/effort-saving and reassuring the researcher that we’re trying to behave responsibly perspective. As I mentioned previously, both manual and automated discovery via a standard
means/location is something we think is very valuable.
Hope that helps.
Cheers
Neil Craig
Lead Technical Architect
BBC Online Technology Group
London W12 | BC4 A3
From: Paul Wouters <paul@xxxxxxxxx>
Date: Thursday, 12 December 2019 at 12:54 To: Neil Craig <Neil.Craig@xxxxxxxxx> Cc: "last-call@xxxxxxxx" <last-call@xxxxxxxx> Subject: Re: [Last-Call] Last Call: <draft-foudil-securitytxt-08.txt> (A Method for Web Security Policies) to Informational RFC How do you know it can from there ? I see lots of hits for the published contact
security@xxxxxxxxx, eg
You even publish that same email address in a DNS TXT record with a mailto: link.
It seems more that you added the address at yet another location with the same contact information? So I am a bit confused how you reached your conclusion that people found that email address via this drafts mechanism.
Paul
Sent from my iPhone
|
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
