Security Contact
Having a security contact provides a designated point of contact for security researchers to report vulnerabilities to.
SECURE.md File
Importance
A SECURE.md file in your GitHub repository provides clear instructions on how to report security vulnerabilities.
Example Content
# Security Policy
We take the security of our project seriously. If you discover any security vulnerabilities, please report them responsibly.
## Reporting a Vulnerability
Please email us at security@projectname.TLD with the details of the vulnerability. We will respond as soon as possible.
We appreciate your help in improving the security of our project.
Security Email Address
Importance
Having a dedicated security email address (e.g., security@projectname.TLD) ensures that vulnerability reports are directed to the appropriate team members.
Setup
- Dedicated Team: Ensure that the security email is monitored by a team with the expertise to handle vulnerability reports.
- Prompt Responses: Aim to acknowledge receipt of vulnerability reports within 24 hours.
.well-known/security.txt
Importance
The .well-known/security.txt file is a standardized way to provide security contact information on your website.
Example Content
Contact: mailto:security@projectname.TLD
Encryption: https://projectname.TLD/pgp-key.txt
Acknowledgements: https://projectname.TLD/hall-of-fame.html
Policy: https://projectname.TLD/security-policy.html
Preferred-Languages: en
Implementation
- Standard Location: Place the security.txt file in the .well-known directory of your website (e.g., https://projectname.TLD/.well-known/security.txt).
- Regular Updates: Keep the security.txt file updated with current contact information and policies.
Managing Security Contacts
Responsibilities
- Triage: Assess and prioritize vulnerability reports based on severity and impact.
- Communication: Maintain clear and respectful communication with reporters. Provide regular updates on the status of their reports.
- Resolution: Work promptly to resolve reported vulnerabilities and update the reporter on the actions taken.
Best Practices
- Confidentiality: Treat all vulnerability reports as confidential until a fix is implemented.
- Acknowledgement: Consider publicly acknowledging researchers who report vulnerabilities, with their permission.
- Transparency: Be transparent about your vulnerability disclosure process and timelines.