On Mon, Dec 30, 2019 at 10:55 PM Rob Sayre <sayrer@xxxxxxxxx> wrote: > > On Tue, Dec 24, 2019 at 7:51 AM Tero Kivinen via Datatracker <noreply@xxxxxxxx> wrote: >> >> Reviewer: Tero Kivinen >> Review result: Has Issues >> >> This document describes text file located in the web server which can be used >> to find the information where to contact in case there is security >> vulnerabilities that needs to be disclosed. >> >> I think this whole idea is BAD, and I do not think we should be publishing this >> document at all in this format. > > > Yeah... I looked at: > > https://tools.ietf.org/html/draft-foudil-securitytxt-08#section-6.7 > > "Organizations SHOULD weigh the advantages of publishing this file versus the possible disadvantages and increased resources required to triage security reports." > > While the draft does spend some time describing the "Scope of the File", it doesn't address attacks against other parties using phone numbers or emails contained within the file. > > For example, it seems possible to register free domain names under TLDs like .xyz and .tk and then point phone numbers at unsuspecting parties. > I am adding language to address that: "Attackers can also use this file as a way to spam unrelated third parties by listing their resources and/or contact information." And: "Security researchers SHOULD consult the organization's policy, if available, and review the contact information and/or resources referenced within the "security.txt" file before submitting reports in an automated fashion or as resulting from automated scans." -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
