80 lines
2.8 KiB
Markdown
80 lines
2.8 KiB
Markdown
# 24. Security.txt & Responsible Disclosure
|
|
|
|
meta:
|
|
id: web-production-24
|
|
feature: web-production
|
|
priority: P2
|
|
depends_on: []
|
|
tags: [security, compliance, production]
|
|
|
|
objective:
|
|
- Implement security.txt and responsible disclosure process for security researchers
|
|
|
|
deliverables:
|
|
- security.txt file at /.well-known/security.txt
|
|
- security@kordant.com email address
|
|
- Responsible disclosure policy page
|
|
- Bug bounty program foundation
|
|
|
|
steps:
|
|
1. Create security.txt:
|
|
- Contact: mailto:security@kordant.com
|
|
- Expires: date 1 year in future
|
|
- Encryption: link to PGP key (optional)
|
|
- Acknowledgments: link to hall of fame page
|
|
- Policy: link to disclosure policy
|
|
- Hiring: link to security jobs (if applicable)
|
|
2. Create responsible disclosure policy:
|
|
- Page at /security/disclosure
|
|
- Scope of testing (what's in scope, what's out)
|
|
- Rules of engagement (no DDoS, no data exfiltration)
|
|
- Safe harbor promise (won't prosecute good faith research)
|
|
- Reporting process and expected response time
|
|
- Reward/recognition program details
|
|
3. Set up security email:
|
|
- Create security@kordant.com alias
|
|
- Forward to engineering team
|
|
- Set up auto-responder with acknowledgment
|
|
- Create internal triage process
|
|
4. Create vulnerability response process:
|
|
- Internal SLA: acknowledge within 48 hours
|
|
- Triage within 72 hours
|
|
- Fix critical vulnerabilities within 7 days
|
|
- Fix high severity within 30 days
|
|
- Public disclosure after fix deployed
|
|
5. Add hall of fame page:
|
|
- Page at /security/hall-of-fame
|
|
- List researchers who reported valid vulnerabilities
|
|
- Include date, severity, and researcher name (with permission)
|
|
6. Add security page to footer:
|
|
- Link to disclosure policy
|
|
- Link to security.txt
|
|
- Link to hall of fame
|
|
|
|
tests:
|
|
- Integration: Verify security.txt accessible
|
|
- Process: Test email auto-responder
|
|
- Content: Review policy with security team
|
|
|
|
acceptance_criteria:
|
|
- security.txt accessible at /.well-known/security.txt
|
|
- Disclosure policy live at /security/disclosure
|
|
- security@kordant.com email active with auto-responder
|
|
- Hall of fame page live at /security/hall-of-fame
|
|
- Safe harbor promise clearly stated
|
|
- Response SLA documented and followed
|
|
- Security links in site footer
|
|
- PGP key available for encrypted communication (optional)
|
|
|
|
validation:
|
|
- `curl https://kordant.com/.well-known/security.txt` → valid security.txt
|
|
- Email security@kordant.com → auto-responder received
|
|
- Navigate to /security/disclosure → complete policy visible
|
|
- Check footer → security links present
|
|
|
|
notes:
|
|
- security.txt standard defined by RFC 9116
|
|
- Safe harbor is critical for encouraging responsible disclosure
|
|
- Consider joining HackerOne or Bugcrowd for managed bug bounty
|
|
- Document vulnerability severity classification (CVSS)
|