On Mon, Dec 30, 2019 at 8:00 PM Yakov Shafranovich <yakov@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Mon, Dec 30, 2019 at 10:55 PM Rob Sayre <sayrer@xxxxxxxxx> wrote:
>
> On Tue, Dec 24, 2019 at 7:51 AM Tero Kivinen via Datatracker <noreply@xxxxxxxx> wrote:
>>
>> Reviewer: Tero Kivinen
>> Review result: Has Issues
>>
>> This document describes text file located in the web server which can be used
>> to find the information where to contact in case there is security
>> vulnerabilities that needs to be disclosed.
>>
>> I think this whole idea is BAD, and I do not think we should be publishing this
>> document at all in this format.
>
>
> Yeah... I looked at:
>
> https://tools.ietf.org/html/draft-foudil-securitytxt-08#section-6.7
>
> "Organizations SHOULD weigh the advantages of publishing this file versus the possible disadvantages and increased resources required to triage security reports."
>
> While the draft does spend some time describing the "Scope of the File", it doesn't address attacks against other parties using phone numbers or emails contained within the file.
>
> For example, it seems possible to register free domain names under TLDs like .xyz and .tk and then point phone numbers at unsuspecting parties.
>
I am adding language to address that:
"Attackers can also use this file as a way to spam unrelated third
parties by listing their resources and/or contact information."
And:
"Security researchers SHOULD consult the organization's policy, if
available, and review the contact information and/or resources
referenced within the "security.txt" file before submitting reports in
an automated fashion or as resulting from automated scans."
OK. Then what level of automation is required?
The semantics of the fields seems hopelessly fuzzy, and so I'm not sure a well-known URI is required.
thanks,
Rob
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
