qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard
verified publisher icon QubesOS

Provide https://qubes-os.org/.well-known/security.txt

Open DemiMarie opened this issue 4 years ago • 7 comments

How to file a helpful issue

The problem you're addressing (if any)

Qubes OS doesn’t support the [security.txt] standard for machine-parsable vulnerability reporting information.

The solution you'd like

Support the standard :slightly_smiling_face:

The value to a user, and who that user might be

Not sure tbh.

DemiMarie avatar Oct 27 '21 20:10 DemiMarie

What should the content of this file consist of? How common is this? Do other projects do it?

andrewdavidwong avatar Oct 29 '21 01:10 andrewdavidwong

On Thu, Oct 28, 2021 at 06:28:39PM -0700, Andrew David Wong wrote:

What should content of this file consist of? How common is this? Do other projects do it?

https://securitytxt.org/ It's becoming more common although still not (imo) widely adopted.

unman avatar Oct 29 '21 01:10 unman

https://securitytxt.org/ It's becoming more common although still not (imo) widely adopted.

Thanks. I generated one:

Contact: https://www.qubes-os.org/security/
Expires: 2025-01-01T08:00:00.000Z
Encryption: https://keys.qubes-os.org/keys/qubes-os-security-team-key.asc
Canonical: https://qubes-os.org/.well-known/security.txt
Policy: https://www.qubes-os.org/security/

(Not sure if Jekyll/GH Pages will let us use /.well-known/ in the permalink, but if not, we can put it in the root directory.)

@DemiMarie, is this what you had in mind?

andrewdavidwong avatar Oct 29 '21 21:10 andrewdavidwong

@andrewdavidwong For contact I would use mailto:[email protected] unless there is some reason not to.

DemiMarie avatar Oct 29 '21 21:10 DemiMarie

@andrewdavidwong:

Not sure if Jekyll/GH Pages will let us use /.well-known/ in the permalink, but if not, we can put it in the root directory.

If you place .well-known at the root of repo and add:

include:
  - .well-known

to the _config.yml file, then Jekyll will include this directory at the root of the output directory and the permalink /.well-known/ should work.

SaswatPadhi avatar Oct 30 '21 23:10 SaswatPadhi

@andrewdavidwong For contact I would use mailto:[email protected] unless there is some reason not to.

I don't want it to get any more spam.

@andrewdavidwong:

Not sure if Jekyll/GH Pages will let us use /.well-known/ in the permalink, but if not, we can put it in the root directory.

If you place .well-known at the root of repo and add:

include:
  - .well-known

to the _config.yml file, then Jekyll will include this directory at the root of the output directory and the permalink /.well-known/ should work.

Thanks!

andrewdavidwong avatar Oct 31 '21 21:10 andrewdavidwong

pr submitted: https://github.com/QubesOS/qubesos.github.io/pull/247 Awaits review

@parulin for the next time, add one of the keywords mentioned here to commit message to link it to issue. Thanks.

alimirjamali avatar Jun 26 '24 15:06 alimirjamali