Add a .well-known/security.txt file in xwiki.org

surli · April 28, 2022, 2:20pm

Hello everyone,

I discovered today a new RFC (RFC 9116: A File Format to Aid in Security Vulnerability Disclosure) whose goal is to help properly reporting security issues: basically this RFC defines a format of a security.txt file that can be automatically parsed to give information about to whom to report a vulnerability and what is the policy regarding vulnerabilities.

I think it might be a good idea to put such file on xwiki.org, so I propose that we add a file containing the following content:

# Our security address
Contact: mailto:security@xwiki.org

# Our security policy
Policy: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/

Expires: [1 year after publication]

About expiration date: the RFC strongly advise to put one, I propose that we modify the upgrade plan of XWiki.org to include checking the security.txt and updating the date when we do perform an upgrade.

The RFC also advises to sign this security.txt, I’m not sure if we already a public PGP key that we could use: if we have I guess we should use it.

WDYT?

mleduc · April 28, 2022, 2:29pm

Out of curiosity, do you know what’s the current adoption of this RFC? I’m mainly thinking of external tool that are indexing/scrapping security.txt files and doing something with them?

vmassol · April 28, 2022, 2:34pm

I don’t know but it says This document is not an Internet Standards Track specification; it is published for informational purposes..

tmortagne · April 28, 2022, 2:36pm

We have one we are using to sign Debian repositories.

surli · April 28, 2022, 2:37pm

I haven’t looked but it’s really a young RFC so I don’t expect much adoption yet, it says:

Published: April 2022

vmassol · April 28, 2022, 2:38pm

I think it cannot hurt

One thing that we could improve too is to add a section in our release notes or on the hall of fame page on dev.xwiki.org, about thanking security reporters. And then put a link to it in the security.txt file. Now we’ll need a process if we were to do that or we will forget. Also it raises the question of why recognizing security reporters vs bug reporters… I don’t have the answer, just raising the topic

Note that the RFC says to put this file under https://xwiki.org/.well-known/security.txt.

Each committer has its own key ATM.

mleduc · April 28, 2022, 2:40pm

Thanks. I’m hesitant to do more paperwork for something that will not be useful to others in the end.
Then, if we derive this file from structured data (e.g., XObjects), then a least they can be reused for some other format later (or to continue/improve what we started during last hackathon).