colin
/
well-known-security
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add security-contact.md

This commit is contained in:
colin 2023-12-13 17:09:08 +00:00
commit e4443ae2b8
1 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
security-contact.md Normal file
View File

@ -0,0 +1,47 @@
# security-contact.json
### `security-contact.json` Structure
1. **Email Field (Mandatory)**:
- The JSON file must include an email address for handling security concerns and communications.
2. **Secure Form URL (Optional)**:
- Optionally, a URL to a form can be included for reporting security issues. This form should be secure and user-friendly.
3. **Example Structure**:
```json
{
"email": "security@example.com",
"report_form_url": "https://example.com/security-report-form"
}
```
---
### General Advice for Implementing `security-contact.json`
**Purpose**: `security-contact.json` is a JSON file placed in the `.well-known` directory of a device manufacturer's web server. It provides essential contact information for reporting security issues related to the device's configuration and operation.
**1. Email Address (Mandatory)**
- **Importance**: The email address is the primary means of contact for security concerns. It should be specific to security-related communications.
- **Best Practices**: Use an email address monitored regularly. Consider using email address extensions to manage and filter incoming reports effectively.
- **Spam Management**: Implement measures to protect the email from spam. Regularly updating or rotating the email address can be a helpful strategy. However, the specifics of this practice are left to the manufacturer's discretion.
**2. Secure Report Form URL (Optional)**
- **Functionality**: An alternative to email, the secure form allows for structured reporting of security issues.
- **Security**: Ensure the form is hosted securely (HTTPS). Implement measures to protect the submitted data and the form from abuse or exploitation.
- **User-Friendly Design**: Design the form intuitively and efficiently, ensuring it does not deter potential reporters.
**3. Accessibility and Clarity**
- **Discoverability**: Place `security-contact.json` in a well-known, standardized location to ensure it's easily discoverable.
- **Transparency**: Maintain clarity and simplicity in the content of `security-contact.json`. Avoid unnecessary complexity that could hinder the reporting process.
**4. Updating and Maintenance**
- **Regular Review**: Regularly update the contact information to ensure accuracy and reliability.
- **Change Management**: If the contact information changes, update the `security-contact.json` promptly to avoid any gaps in communication.
**5. Documentation and Communication**
- **Guidelines**: Provide clear internal guidelines on handling incoming security reports.
- **External Communication**: Inform external parties about the purpose of `security-contact.json` and how it should be used for security-related communications.
---
By adhering to these guidelines, device manufacturers can ensure that `security-contact.json` is a reliable and effective tool for enhancing device security and facilitating prompt responses to security concerns.