forked from securitytxt/securitytxt.org
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
178 lines (171 loc) · 8.77 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
---
layout: default
index: true
active: 1
directive_tags:
Required: is-danger
Optional: is-success
Only 1 allowed: is-info
directives:
-
name: Contact
id: contact
tags: ['Required']
help: >
A link or e-mail address for people to contact you about security issues. Remember to include "https://"
for URLs, and "mailto:" for e-mails.
placeholder: mailto:[email protected]
spec: 3
-
name: Encryption
id: encryption
tags: ['Optional']
help: A link to a key which security researchers should use to securely talk to you. Remember to include "https://".
placeholder: https://example.com/pgp-key.txt
spec: 4
-
name: Acknowledgments
id: acknowledgments
tags: ['Optional']
help: >
A link to a web page where you say thank you to security researchers who have helped you. Remember
to include "https://".
placeholder: https://example.com/hall-of-fame.html
spec: 1
-
name: Preferred-Languages
id: preferredLanguages
tags: ['Optional', 'Only 1 allowed']
help: >
A comma-separated list of language codes that your security team speaks. <strong>You may include more
than one language</strong>.
placeholder: en, es, ru
spec: 8
-
name: Canonical
id: canonical
tags: ['Optional']
help: >
The URLs for accessing your security.txt file. It is important to include this if you are
digitally signing the security.txt file, so that researchers can know for sure that you didn't just steal
someone else's file with the same content.
placeholder: https://example.com/.well-known/security.txt
spec: 2
-
name: Policy
id: policy
tags: ['Optional']
help: >
A link to a policy detailing what security researchers should do when searching for or reporting security
issues. Remember to include "https://".
placeholder: https://example.com/security-policy.html
spec: 7
-
name: Hiring
id: hiring
tags: ['Optional']
help: A link to any security-related job openings in your organisation. Remember to include "https://".
placeholder: https://example.com/jobs.html
spec: 6
---
<div id="txt-notification">
<div class="notification is-success is-pulled">
<button onclick="removeNotification()" class="delete"></button>
<h1>Your security.txt file has been copied to your clipboard!</h1>
</div>
</div>
<section class="section">
<div class="container">
<h1 class="title">Summary</h1>
<p>
“When security risks in web services are discovered by independent security
researchers who understand the severity of the risk, they often lack the
channels to disclose them properly. As a result, security issues may be left
unreported. security.txt defines a standard to help organizations define the
process for security researchers to disclose security vulnerabilities securely.”
</p>
</div>
</section>
<section class="section">
<div class="container">
<h1 class="title">Step 1</h1>
<p>Create a text file called <code>security.txt</code> under the <code>.well-known</code> directory of your project.</p>
<br>
<form id="genform">
{% for directive in page.directives %}
<fieldset class="box" id="{{directive.id}}">
<legend class="label">
{{ directive.name }}
{% for tag in directive.tags %}
<span class="tag {{ page.directive_tags[tag] }}">{{ tag }}</span>
{% endfor %}
</legend>
<p class="help">
{{ directive.help }} See
<a target="_blank" rel="noopener"
href="https://tools.ietf.org/html/draft-foudil-securitytxt#section-3.5.{{directive.spec}}">
the full description of {{ directive.name }}
</a>
</p>
<ul class="list-of-inputs">
<li class="field">
<div class="control">
<input class="input" placeholder="{{ directive.placeholder }}"
{% if directive.tags contains 'Required' %} required {% endif %}
>
</div>
</li>
</ul>
<div class="field">
<div class="control">
<button type="button" class="button" onclick="addAlternative(this)"
{% if directive.tags contains 'Only 1 allowed' %} disabled {% endif %}
>
Add another alternative
</button>
</div>
</div>
</fieldset>
{% endfor %}
<input class="button is-success" type="submit" value="Generate security.txt file">
</form>
</div>
</section>
<section class="section">
<div class="container">
<h1 class="title" id="step-two">Step 2</h1>
<p>You are ready to go! Publish your security.txt file. If you want to give security researchers confidence that your security.txt file is authentic, and not planted by an attacker, consider <a target="_blank" rel="noopener" href="https://tools.ietf.org/html/draft-foudil-securitytxt-05#section-3.4">digitally signing</a> the file with an OpenPGP cleartext signature.</p>
<div class="field">
<div class="control">
<textarea id="text-to-copy" class="textarea" readonly></textarea>
</div>
</div>
<div class="field">
<div class="control">
<button id="copy-button" class="button button-primary" disabled="true" onclick="copyTextarea()">Copy to clipboard</button>
</div>
</div>
</div>
</section>
<section class="section">
<div class="container content">
<h1 class="title">Frequently asked questions</h1>
<h5>What is the main purpose of security.txt?</h5>
<p>The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.</p>
<h5>Is security.txt an <a href="https://en.wikipedia.org/wiki/Request_for_Comments"><abbr title="Request For Comments">RFC</abbr></a>?</h5>
<p>security.txt is currently an Internet draft that has been submitted for <abbr title="Request For Comments">RFC</abbr> review. This means that security.txt is still in the early stages of development. We welcome contributions from the public: <a href="https://github.com/securitytxt/security-txt">https://github.com/securitytxt/security-txt</a></p>
<h5>Where should I put the security.txt file?</h5>
<p>For websites, the security.txt file should be placed under the <code>/.well-known/</code> path (<code>/.well-known/security.txt</code>) [<a href="https://tools.ietf.org/html/rfc8615"><abbr title="Request For Comments">RFC</abbr>8615</a>]. It can also be placed in the root directory (<code>/security.txt</code>) of a website, especially if the <code>/.well-known/</code> directory cannot be used for technical reasons, or simply as a fallback. The file can be placed in both locations of a website at the same time. For code repositories, the file should be placed in the root directory of the repository.</p>
<h5>Are there any settings I should apply to the file?</h5>
<p>The security.txt file should have an Internet Media Type of <code>text/plain</code> and must be served over HTTPS.</p>
<h5>Will adding an email address expose me to spam bots?</h5>
<p>The email value is an optional field. If you are worried about spam, you can set a URI as the value and link to your security policy.</p>
</div>
</section>
<section class="section is-medium">
<div class="container content has-text-centered is-fluid">
<h1 class="title">Spread the word</h1>
<a target="_blank" class="button is-info" href="https://twitter.com/intent/tweet?text=security.txt%20-%20A%20proposed%20standard%20that%20allows%20websites%20to%20define%20security%20policies.%20https%3A%2F%2Fsecuritytxt.org%2F">Share on Twitter 📣 🎉 ⚡️ 🔥</a>
</div>
</section>
<script src="{{ "/js/genform.js" | relative_url}}?v={{ site.time | date: "%s" }}"></script>