transparency-exchange-api icon indicating copy to clipboard operation
transparency-exchange-api copied to clipboard
Published 2 months ago verified publisher icon CycloneDX

Using security.txt to indicate TEA service availability

Open oej opened this issue 1 year ago • 2 comments

As an alternative, we could register a security.txt field.

The list of security.txt fields is also a registry maintained by IANA.

Originally posted by @ppkarwasz in #30

oej avatar Nov 13 '24 09:11 oej

Security.txt is a good way to be able to find the API without having to have a product ID. It's different than the "ordinary" TEA discovery based on the TEI.

oej avatar Nov 18 '24 11:11 oej

From the RFC: "Designated experts should determine whether a proposed registration or update provides value to organizations and researchers using this format and makes sense in the context of industry-accepted vulnerability disclosure processes such as [ISO.29147.2018] and [CERT.CVD]."

oej avatar Nov 18 '24 12:11 oej