47 lines
2.9 KiB
Markdown
47 lines
2.9 KiB
Markdown
# security-contact.json
|
|
|
|
### `security-contact.json` Structure
|
|
|
|
1. **Email Field (Mandatory)**:
|
|
- The JSON file must include an email address for handling security concerns and communications.
|
|
|
|
2. **Secure Form URL (Optional)**:
|
|
- Optionally, a URL to a form can be included for reporting security issues. This form should be secure and user-friendly.
|
|
|
|
3. **Example Structure**:
|
|
|
|
```json
|
|
{
|
|
"email": "security@example.com",
|
|
"report_form_url": "https://example.com/security-report-form"
|
|
}
|
|
```
|
|
|
|
---
|
|
### General Advice for Implementing `security-contact.json`
|
|
|
|
**Purpose**: `security-contact.json` is a JSON file placed in the `.well-known` directory of a device manufacturer's web server. It provides essential contact information for reporting security issues related to the device's configuration and operation.
|
|
|
|
**1. Email Address (Mandatory)**
|
|
- **Importance**: The email address is the primary means of contact for security concerns. It should be specific to security-related communications.
|
|
- **Best Practices**: Use an email address monitored regularly. Consider using email address extensions to manage and filter incoming reports effectively.
|
|
- **Spam Management**: Implement measures to protect the email from spam. Regularly updating or rotating the email address can be a helpful strategy. However, the specifics of this practice are left to the manufacturer's discretion.
|
|
|
|
**2. Secure Report Form URL (Optional)**
|
|
- **Functionality**: An alternative to email, the secure form allows for structured reporting of security issues.
|
|
- **Security**: Ensure the form is hosted securely (HTTPS). Implement measures to protect the submitted data and the form from abuse or exploitation.
|
|
- **User-Friendly Design**: Design the form intuitively and efficiently, ensuring it does not deter potential reporters.
|
|
|
|
**3. Accessibility and Clarity**
|
|
- **Discoverability**: Place `security-contact.json` in a well-known, standardized location to ensure it's easily discoverable.
|
|
- **Transparency**: Maintain clarity and simplicity in the content of `security-contact.json`. Avoid unnecessary complexity that could hinder the reporting process.
|
|
|
|
**4. Updating and Maintenance**
|
|
- **Regular Review**: Regularly update the contact information to ensure accuracy and reliability.
|
|
- **Change Management**: If the contact information changes, update the `security-contact.json` promptly to avoid any gaps in communication.
|
|
|
|
**5. Documentation and Communication**
|
|
- **Guidelines**: Provide clear internal guidelines on handling incoming security reports.
|
|
- **External Communication**: Inform external parties about the purpose of `security-contact.json` and how it should be used for security-related communications.
|
|
---
|
|
By adhering to these guidelines, device manufacturers can ensure that `security-contact.json` is a reliable and effective tool for enhancing device security and facilitating prompt responses to security concerns. |