From e4443ae2b86049a54c399ace89222cabe74bd8f9 Mon Sep 17 00:00:00 2001 From: colin Date: Wed, 13 Dec 2023 17:09:08 +0000 Subject: [PATCH] Add security-contact.md --- security-contact.md | 47 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 security-contact.md diff --git a/security-contact.md b/security-contact.md new file mode 100644 index 0000000..bb3c655 --- /dev/null +++ b/security-contact.md @@ -0,0 +1,47 @@ +# security-contact.json + +### `security-contact.json` Structure + +1. **Email Field (Mandatory)**: + - The JSON file must include an email address for handling security concerns and communications. + +2. **Secure Form URL (Optional)**: + - Optionally, a URL to a form can be included for reporting security issues. This form should be secure and user-friendly. + +3. **Example Structure**: + +```json + { + "email": "security@example.com", + "report_form_url": "https://example.com/security-report-form" + } +``` + +--- +### General Advice for Implementing `security-contact.json` + +**Purpose**: `security-contact.json` is a JSON file placed in the `.well-known` directory of a device manufacturer's web server. It provides essential contact information for reporting security issues related to the device's configuration and operation. + +**1. Email Address (Mandatory)** + - **Importance**: The email address is the primary means of contact for security concerns. It should be specific to security-related communications. + - **Best Practices**: Use an email address monitored regularly. Consider using email address extensions to manage and filter incoming reports effectively. + - **Spam Management**: Implement measures to protect the email from spam. Regularly updating or rotating the email address can be a helpful strategy. However, the specifics of this practice are left to the manufacturer's discretion. + +**2. Secure Report Form URL (Optional)** + - **Functionality**: An alternative to email, the secure form allows for structured reporting of security issues. + - **Security**: Ensure the form is hosted securely (HTTPS). Implement measures to protect the submitted data and the form from abuse or exploitation. + - **User-Friendly Design**: Design the form intuitively and efficiently, ensuring it does not deter potential reporters. + +**3. Accessibility and Clarity** + - **Discoverability**: Place `security-contact.json` in a well-known, standardized location to ensure it's easily discoverable. + - **Transparency**: Maintain clarity and simplicity in the content of `security-contact.json`. Avoid unnecessary complexity that could hinder the reporting process. + +**4. Updating and Maintenance** + - **Regular Review**: Regularly update the contact information to ensure accuracy and reliability. + - **Change Management**: If the contact information changes, update the `security-contact.json` promptly to avoid any gaps in communication. + +**5. Documentation and Communication** + - **Guidelines**: Provide clear internal guidelines on handling incoming security reports. + - **External Communication**: Inform external parties about the purpose of `security-contact.json` and how it should be used for security-related communications. +--- +By adhering to these guidelines, device manufacturers can ensure that `security-contact.json` is a reliable and effective tool for enhancing device security and facilitating prompt responses to security concerns. \ No newline at end of file