# security-contact.json ### `security-contact.json` Structure 1. **Email Field (Mandatory)**: - The JSON file must include an email address for handling security concerns and communications. 2. **Secure Form URL (Optional)**: - Optionally, a URL to a form can be included for reporting security issues. This form should be secure and user-friendly. 3. **Example Structure**: ```json { "email": "security@example.com", "report_form_url": "https://example.com/security-report-form" } ``` --- ### General Advice for Implementing `security-contact.json` **Purpose**: `security-contact.json` is a JSON file placed in the `.well-known` directory of a device manufacturer's web server. It provides essential contact information for reporting security issues related to the device's configuration and operation. **1. Email Address (Mandatory)** - **Importance**: The email address is the primary means of contact for security concerns. It should be specific to security-related communications. - **Best Practices**: Use an email address monitored regularly. Consider using email address extensions to manage and filter incoming reports effectively. - **Spam Management**: Implement measures to protect the email from spam. Regularly updating or rotating the email address can be a helpful strategy. However, the specifics of this practice are left to the manufacturer's discretion. **2. Secure Report Form URL (Optional)** - **Functionality**: An alternative to email, the secure form allows for structured reporting of security issues. - **Security**: Ensure the form is hosted securely (HTTPS). Implement measures to protect the submitted data and the form from abuse or exploitation. - **User-Friendly Design**: Design the form intuitively and efficiently, ensuring it does not deter potential reporters. **3. Accessibility and Clarity** - **Discoverability**: Place `security-contact.json` in a well-known, standardized location to ensure it's easily discoverable. - **Transparency**: Maintain clarity and simplicity in the content of `security-contact.json`. Avoid unnecessary complexity that could hinder the reporting process. **4. Updating and Maintenance** - **Regular Review**: Regularly update the contact information to ensure accuracy and reliability. - **Change Management**: If the contact information changes, update the `security-contact.json` promptly to avoid any gaps in communication. **5. Documentation and Communication** - **Guidelines**: Provide clear internal guidelines on handling incoming security reports. - **External Communication**: Inform external parties about the purpose of `security-contact.json` and how it should be used for security-related communications. --- By adhering to these guidelines, device manufacturers can ensure that `security-contact.json` is a reliable and effective tool for enhancing device security and facilitating prompt responses to security concerns.