|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
new CNA guidelines
- To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Subject: new CNA guidelines
- From: Kurt Seifried <kurt@seifried.org>
- Date: Sat, 7 Oct 2017 19:50:22 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=seifried.org;
- Delivery-date: Mon Oct 9 07:47:09 2017
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
TL;DR: security.txt for reporting security issues, like robots.txt for telling web robots how to behave.
Example file:
# Our Security Address
Contact: security@example.com
# Our PGP key
Encryption: https://example.com/pgp-key.txt
# Our disclosure policy
Disclosure: Full
This would make it much easier for people to discover how to report things (99% of the time you can plug a product name in and get the web page no problem, then the problem becomes finding the contact details for reporting your security vulnerability).
This is a very nice KISS solution, it requires minimal to no maintenance (most places do not change the web page for their PGP key to often, or the reporting email address, with the exception for corporate mergers/divestitures).
My thought: make this a CNA strong usggestion, or ideally a requirement for the website(s) hosting products/product info for products covered by the CNA
kurt@seifried.org
- Follow-Ups:
- Re: new CNA guidelines
- From: Art Manion <amanion@cert.org>
- Re: new CNA guidelines
- Prev by Date: Re: CVEs with no REF URL (or a REF URL that is self referential)
- Next by Date: Re: new CNA guidelines
- Previous by thread: CNA Rules Revision - Final Draft
- Next by thread: Re: new CNA guidelines
- Index(es):