security-txt
security-txt copied to clipboard
Add "CSAF" field to find OASIS CSAF documents
CSAF is an OASIS draft standard to define a machine readable format for security advisories. It would be something like:
CSAF: https://psirt.domain.tld/advisories/csaf/
See: https://github.com/oasis-tcs/csaf/issues/152
Deferred to the future, once the draft is approved this field can be added to the IANA registry via the standard process
Thank you for considering adding a CSAF reference!
This is now tracked in oasis-tcs/csaf#318. The usage is described in Section 7.1.8 of the CSAF specification.
Thanks - security.txt is about to become an RFC and this work can being right after that
Thank you 🙏
The RFC has been published: https://www.rfc-editor.org/rfc/rfc9116.html
A few examples of security.txt with CSAF references:
- https://www.cisco.com/.well-known/security.txt
- https://www.tibco.com/.well-known/security.txt
@santosomar This one works:
- https://www.cisco.com/.well-known/security.txt
That one does not (any more) and fails with ERR_TOO_MANY_REDIRECTS
:
- https://www.tibco.com/.well-known/security.txt
I contacted Tibco and they fixed it.
The value CSAF
has been added to the registry: https://www.iana.org/assignments/security-txt-fields/security-txt-fields.xhtml