Hello everyone,
I discovered today a new RFC (RFC 9116: A File Format to Aid in Security Vulnerability Disclosure) whose goal is to help properly reporting security issues: basically this RFC defines a format of a security.txt file that can be automatically parsed to give information about to whom to report a vulnerability and what is the policy regarding vulnerabilities.
I think it might be a good idea to put such file on xwiki.org, so I propose that we add a file containing the following content:
# Our security address
Contact: mailto:security@xwiki.org
# Our security policy
Policy: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/
Expires: [1 year after publication]
About expiration date: the RFC strongly advise to put one, I propose that we modify the upgrade plan of XWiki.org to include checking the security.txt and updating the date when we do perform an upgrade.
The RFC also advises to sign this security.txt, I’m not sure if we already a public PGP key that we could use: if we have I guess we should use it.
WDYT?