I discovered today a new RFC (RFC 9116: A File Format to Aid in Security Vulnerability Disclosure) whose goal is to help properly reporting security issues: basically this RFC defines a format of a security.txt file that can be automatically parsed to give information about to whom to report a vulnerability and what is the policy regarding vulnerabilities.
I think it might be a good idea to put such file on xwiki.org, so I propose that we add a file containing the following content:
# Our security address
Contact: mailto:security@xwiki.org
# Our security policy
Policy: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/
Expires: [1 year after publication]
About expiration date: the RFC strongly advise to put one, I propose that we modify the upgrade plan of XWiki.org to include checking the security.txt and updating the date when we do perform an upgrade.
The RFC also advises to sign this security.txt, I’m not sure if we already a public PGP key that we could use: if we have I guess we should use it.
Out of curiosity, do you know what’s the current adoption of this RFC? I’m mainly thinking of external tool that are indexing/scrapping security.txt files and doing something with them?
One thing that we could improve too is to add a section in our release notes or on the hall of fame page on dev.xwiki.org, about thanking security reporters. And then put a link to it in the security.txt file. Now we’ll need a process if we were to do that or we will forget. Also it raises the question of why recognizing security reporters vs bug reporters… I don’t have the answer, just raising the topic
Note that the RFC says to put this file under https://xwiki.org/.well-known/security.txt.
Thanks. I’m hesitant to do more paperwork for something that will not be useful to others in the end.
Then, if we derive this file from structured data (e.g., XObjects), then a least they can be reused for some other format later (or to continue/improve what we started during last hackathon).