Security Contact

tag: [Engineer/Developer, Security Specialist]

Having a security contact provides a designated point of contact for security researchers to report vulnerabilities to.

SECURE.md File

Importance

A SECURE.md file in your GitHub repository provides clear instructions on how to report security vulnerabilities.

Example Content

# Security Policy

We take the security of our project seriously. If you discover any security vulnerabilities, please report them responsibly.

## Reporting a Vulnerability

Please email us at security@projectname.TLD with the details of the vulnerability. We will respond as soon as possible.

We appreciate your help in improving the security of our project.

Security Email Address

Importance

Having a dedicated security email address (e.g., security@projectname.TLD) ensures that vulnerability reports are directed to the appropriate team members.

Setup

  • Dedicated Team: Ensure that the security email is monitored by a team with the expertise to handle vulnerability reports.
  • Prompt Responses: Aim to acknowledge receipt of vulnerability reports within 24 hours.

.well-known/security.txt

Importance

The .well-known/security.txt file is a standardized way to provide security contact information on your website.

Example Content

Contact: mailto:security@projectname.TLD
Encryption: https://projectname.TLD/pgp-key.txt
Acknowledgements: https://projectname.TLD/hall-of-fame.html
Policy: https://projectname.TLD/security-policy.html
Preferred-Languages: en

Implementation

  • Standard Location: Place the security.txt file in the .well-known directory of your website (e.g., https://projectname.TLD/.well-known/security.txt).
  • Regular Updates: Keep the security.txt file updated with current contact information and policies.

Managing Security Contacts

Responsibilities

  • Triage: Assess and prioritize vulnerability reports based on severity and impact.
  • Communication: Maintain clear and respectful communication with reporters. Provide regular updates on the status of their reports.
  • Resolution: Work promptly to resolve reported vulnerabilities and update the reporter on the actions taken.

Best Practices

  • Confidentiality: Treat all vulnerability reports as confidential until a fix is implemented.
  • Acknowledgement: Consider publicly acknowledging researchers who report vulnerabilities, with their permission.
  • Transparency: Be transparent about your vulnerability disclosure process and timelines.