colin
/
well-known-security
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
well-known-security/security-contact.md

2.9 KiB
Raw Permalink Blame History

security-contact.json

security-contact.json Structure

  1. Email Field (Mandatory):

    • The JSON file must include an email address for handling security concerns and communications.

  2. Secure Form URL (Optional):

    • Optionally, a URL to a form can be included for reporting security issues. This form should be secure and user-friendly.

  3. Example Structure:

   {
     "email": "security@example.com",
     "report_form_url": "https://example.com/security-report-form"
   }

General Advice for Implementing security-contact.json

Purpose: security-contact.json is a JSON file placed in the .well-known directory of a device manufacturer's web server. It provides essential contact information for reporting security issues related to the device's configuration and operation.

1. Email Address (Mandatory)

  • Importance: The email address is the primary means of contact for security concerns. It should be specific to security-related communications.
  • Best Practices: Use an email address monitored regularly. Consider using email address extensions to manage and filter incoming reports effectively.
  • Spam Management: Implement measures to protect the email from spam. Regularly updating or rotating the email address can be a helpful strategy. However, the specifics of this practice are left to the manufacturer's discretion.

2. Secure Report Form URL (Optional)

  • Functionality: An alternative to email, the secure form allows for structured reporting of security issues.
  • Security: Ensure the form is hosted securely (HTTPS). Implement measures to protect the submitted data and the form from abuse or exploitation.
  • User-Friendly Design: Design the form intuitively and efficiently, ensuring it does not deter potential reporters.

3. Accessibility and Clarity

  • Discoverability: Place security-contact.json in a well-known, standardized location to ensure it's easily discoverable.
  • Transparency: Maintain clarity and simplicity in the content of security-contact.json. Avoid unnecessary complexity that could hinder the reporting process.

4. Updating and Maintenance

  • Regular Review: Regularly update the contact information to ensure accuracy and reliability.
  • Change Management: If the contact information changes, update the security-contact.json promptly to avoid any gaps in communication.

5. Documentation and Communication

  • Guidelines: Provide clear internal guidelines on handling incoming security reports.
  • External Communication: Inform external parties about the purpose of security-contact.json and how it should be used for security-related communications.

By adhering to these guidelines, device manufacturers can ensure that security-contact.json is a reliable and effective tool for enhancing device security and facilitating prompt responses to security concerns.