security-txt icon indicating copy to clipboard operation
security-txt copied to clipboard

Published 20 hours ago verified publisher icon securitytxt

Add "CSAF" field to find OASIS CSAF documents

Open nightwatchcyber opened this issue 3 years ago • 9 comments

CSAF is an OASIS draft standard to define a machine readable format for security advisories. It would be something like: CSAF: https://psirt.domain.tld/advisories/csaf/

See: https://github.com/oasis-tcs/csaf/issues/152

nightwatchcyber avatar Feb 24 '21 02:02 nightwatchcyber

Deferred to the future, once the draft is approved this field can be added to the IANA registry via the standard process

nightwatchcyber avatar Feb 24 '21 02:02 nightwatchcyber

Thank you for considering adding a CSAF reference!

santosomar avatar Apr 20 '21 17:04 santosomar

This is now tracked in oasis-tcs/csaf#318. The usage is described in Section 7.1.8 of the CSAF specification.

tschmidtb51 avatar Jul 23 '21 20:07 tschmidtb51

Thanks - security.txt is about to become an RFC and this work can being right after that

nightwatchcyber avatar Jul 27 '21 02:07 nightwatchcyber

Thank you 🙏

santosomar avatar Jul 27 '21 11:07 santosomar

The RFC has been published: https://www.rfc-editor.org/rfc/rfc9116.html

nightwatchcyber avatar May 23 '22 03:05 nightwatchcyber

A few examples of security.txt with CSAF references:

  • https://www.cisco.com/.well-known/security.txt
  • https://www.tibco.com/.well-known/security.txt

santosomar avatar Aug 30 '22 16:08 santosomar

@santosomar This one works:

  • https://www.cisco.com/.well-known/security.txt

That one does not (any more) and fails with ERR_TOO_MANY_REDIRECTS:

  • https://www.tibco.com/.well-known/security.txt

sthagen avatar Sep 16 '22 10:09 sthagen

I contacted Tibco and they fixed it.

santosomar avatar Sep 21 '22 02:09 santosomar

The value CSAF has been added to the registry: https://www.iana.org/assignments/security-txt-fields/security-txt-fields.xhtml

tschmidtb51 avatar Feb 21 '23 09:02 tschmidtb51