get to prod tasks
This commit is contained in:
79
tasks/web-production/24-security-txt.md
Normal file
79
tasks/web-production/24-security-txt.md
Normal file
@@ -0,0 +1,79 @@
|
||||
# 24. Security.txt & Responsible Disclosure
|
||||
|
||||
meta:
|
||||
id: web-production-24
|
||||
feature: web-production
|
||||
priority: P2
|
||||
depends_on: []
|
||||
tags: [security, compliance, production]
|
||||
|
||||
objective:
|
||||
- Implement security.txt and responsible disclosure process for security researchers
|
||||
|
||||
deliverables:
|
||||
- security.txt file at /.well-known/security.txt
|
||||
- security@kordant.com email address
|
||||
- Responsible disclosure policy page
|
||||
- Bug bounty program foundation
|
||||
|
||||
steps:
|
||||
1. Create security.txt:
|
||||
- Contact: mailto:security@kordant.com
|
||||
- Expires: date 1 year in future
|
||||
- Encryption: link to PGP key (optional)
|
||||
- Acknowledgments: link to hall of fame page
|
||||
- Policy: link to disclosure policy
|
||||
- Hiring: link to security jobs (if applicable)
|
||||
2. Create responsible disclosure policy:
|
||||
- Page at /security/disclosure
|
||||
- Scope of testing (what's in scope, what's out)
|
||||
- Rules of engagement (no DDoS, no data exfiltration)
|
||||
- Safe harbor promise (won't prosecute good faith research)
|
||||
- Reporting process and expected response time
|
||||
- Reward/recognition program details
|
||||
3. Set up security email:
|
||||
- Create security@kordant.com alias
|
||||
- Forward to engineering team
|
||||
- Set up auto-responder with acknowledgment
|
||||
- Create internal triage process
|
||||
4. Create vulnerability response process:
|
||||
- Internal SLA: acknowledge within 48 hours
|
||||
- Triage within 72 hours
|
||||
- Fix critical vulnerabilities within 7 days
|
||||
- Fix high severity within 30 days
|
||||
- Public disclosure after fix deployed
|
||||
5. Add hall of fame page:
|
||||
- Page at /security/hall-of-fame
|
||||
- List researchers who reported valid vulnerabilities
|
||||
- Include date, severity, and researcher name (with permission)
|
||||
6. Add security page to footer:
|
||||
- Link to disclosure policy
|
||||
- Link to security.txt
|
||||
- Link to hall of fame
|
||||
|
||||
tests:
|
||||
- Integration: Verify security.txt accessible
|
||||
- Process: Test email auto-responder
|
||||
- Content: Review policy with security team
|
||||
|
||||
acceptance_criteria:
|
||||
- security.txt accessible at /.well-known/security.txt
|
||||
- Disclosure policy live at /security/disclosure
|
||||
- security@kordant.com email active with auto-responder
|
||||
- Hall of fame page live at /security/hall-of-fame
|
||||
- Safe harbor promise clearly stated
|
||||
- Response SLA documented and followed
|
||||
- Security links in site footer
|
||||
- PGP key available for encrypted communication (optional)
|
||||
|
||||
validation:
|
||||
- `curl https://kordant.com/.well-known/security.txt` → valid security.txt
|
||||
- Email security@kordant.com → auto-responder received
|
||||
- Navigate to /security/disclosure → complete policy visible
|
||||
- Check footer → security links present
|
||||
|
||||
notes:
|
||||
- security.txt standard defined by RFC 9116
|
||||
- Safe harbor is critical for encouraging responsible disclosure
|
||||
- Consider joining HackerOne or Bugcrowd for managed bug bounty
|
||||
- Document vulnerability severity classification (CVSS)
|
||||
Reference in New Issue
Block a user