Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1bc9307c29b0bc896a3343b41b2258dfdbfb7312
Kordant/tasks/web-production/24-security-txt.md
Michael Freno 5214412fff get to prod tasks
2026-05-26 16:06:34 -04:00

2.8 KiB
Raw Blame History

24. Security.txt & Responsible Disclosure

meta: id: web-production-24 feature: web-production priority: P2 depends_on: [] tags: [security, compliance, production]

objective:

  • Implement security.txt and responsible disclosure process for security researchers

deliverables:

  • security.txt file at /.well-known/security.txt
  • security@kordant.com email address
  • Responsible disclosure policy page
  • Bug bounty program foundation

steps:

  1. Create security.txt:
    • Contact: mailto:security@kordant.com
    • Expires: date 1 year in future
    • Encryption: link to PGP key (optional)
    • Acknowledgments: link to hall of fame page
    • Policy: link to disclosure policy
    • Hiring: link to security jobs (if applicable)
  2. Create responsible disclosure policy:
    • Page at /security/disclosure
    • Scope of testing (what's in scope, what's out)
    • Rules of engagement (no DDoS, no data exfiltration)
    • Safe harbor promise (won't prosecute good faith research)
    • Reporting process and expected response time
    • Reward/recognition program details
  3. Set up security email:
    • Create security@kordant.com alias
    • Forward to engineering team
    • Set up auto-responder with acknowledgment
    • Create internal triage process
  4. Create vulnerability response process:
    • Internal SLA: acknowledge within 48 hours
    • Triage within 72 hours
    • Fix critical vulnerabilities within 7 days
    • Fix high severity within 30 days
    • Public disclosure after fix deployed
  5. Add hall of fame page:
    • Page at /security/hall-of-fame
    • List researchers who reported valid vulnerabilities
    • Include date, severity, and researcher name (with permission)
  6. Add security page to footer:
    • Link to disclosure policy
    • Link to security.txt
    • Link to hall of fame

tests:

  • Integration: Verify security.txt accessible
  • Process: Test email auto-responder
  • Content: Review policy with security team

acceptance_criteria:

  • security.txt accessible at /.well-known/security.txt
  • Disclosure policy live at /security/disclosure
  • security@kordant.com email active with auto-responder
  • Hall of fame page live at /security/hall-of-fame
  • Safe harbor promise clearly stated
  • Response SLA documented and followed
  • Security links in site footer
  • PGP key available for encrypted communication (optional)

validation:

  • curl https://kordant.com/.well-known/security.txt → valid security.txt
  • Email security@kordant.com → auto-responder received
  • Navigate to /security/disclosure → complete policy visible
  • Check footer → security links present

notes:

  • security.txt standard defined by RFC 9116
  • Safe harbor is critical for encouraging responsible disclosure
  • Consider joining HackerOne or Bugcrowd for managed bug bounty
  • Document vulnerability severity classification (CVSS)
Reference in New Issue View Git Blame Copy Permalink