# 24. Security.txt & Responsible Disclosure

meta:
  id: web-production-24
  feature: web-production
  priority: P2
  depends_on: []
  tags: [security, compliance, production]

objective:
- Implement security.txt and responsible disclosure process for security researchers

deliverables:
- security.txt file at /.well-known/security.txt
- security@kordant.com email address
- Responsible disclosure policy page
- Bug bounty program foundation

steps:
1. Create security.txt:
   - Contact: mailto:security@kordant.com
   - Expires: date 1 year in future
   - Encryption: link to PGP key (optional)
   - Acknowledgments: link to hall of fame page
   - Policy: link to disclosure policy
   - Hiring: link to security jobs (if applicable)
2. Create responsible disclosure policy:
   - Page at /security/disclosure
   - Scope of testing (what's in scope, what's out)
   - Rules of engagement (no DDoS, no data exfiltration)
   - Safe harbor promise (won't prosecute good faith research)
   - Reporting process and expected response time
   - Reward/recognition program details
3. Set up security email:
   - Create security@kordant.com alias
   - Forward to engineering team
   - Set up auto-responder with acknowledgment
   - Create internal triage process
4. Create vulnerability response process:
   - Internal SLA: acknowledge within 48 hours
   - Triage within 72 hours
   - Fix critical vulnerabilities within 7 days
   - Fix high severity within 30 days
   - Public disclosure after fix deployed
5. Add hall of fame page:
   - Page at /security/hall-of-fame
   - List researchers who reported valid vulnerabilities
   - Include date, severity, and researcher name (with permission)
6. Add security page to footer:
   - Link to disclosure policy
   - Link to security.txt
   - Link to hall of fame

tests:
- Integration: Verify security.txt accessible
- Process: Test email auto-responder
- Content: Review policy with security team

acceptance_criteria:
- security.txt accessible at /.well-known/security.txt
- Disclosure policy live at /security/disclosure
- security@kordant.com email active with auto-responder
- Hall of fame page live at /security/hall-of-fame
- Safe harbor promise clearly stated
- Response SLA documented and followed
- Security links in site footer
- PGP key available for encrypted communication (optional)

validation:
- `curl https://kordant.com/.well-known/security.txt` → valid security.txt
- Email security@kordant.com → auto-responder received
- Navigate to /security/disclosure → complete policy visible
- Check footer → security links present

notes:
- security.txt standard defined by RFC 9116
- Safe harbor is critical for encouraging responsible disclosure
- Consider joining HackerOne or Bugcrowd for managed bug bounty
- Document vulnerability severity classification (CVSS)