Page MenuHomePhabricator
Create Task
Maniphest T187617

Add security.txt to Wikimedia sites?
Closed, DeclinedPublic
Actions

Description

https://securitytxt.org/

security.txt is currently an Internet draft that has been submitted for RFC review.

https://github.com/securitytxt/security-txt

And as a followup to T158119, we could/should probably expand SECURITY in mw core to say something similar

Where should I put the security.txt file?
The security.txt file should be placed under the /.well-known/ path (/.well-known/security.txt) [RFC5785].

Not sure if using /.well-known/ is going to cause an issue. Probably a question for SRE under Wikimedia-Apache-configuration

Spurred by more security bugs going to OTRS, so either people are lazy, or we're not visible enough... Or security@domain isn't as common as we'd think

Related Objects

Event Timeline

Reedy created this task.Feb 17 2018, 10:59 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 17 2018, 10:59 AM
RazeSoldier subscribed.Feb 17 2018, 1:01 PM
Peachey88 subscribed.Feb 18 2018, 8:50 AM
Bawolff subscribed.Feb 19 2018, 11:12 AM

While if its just a text file in .well-known, certainly couldnt hurt.

Im kind of doubtful people will actually look at it though. It strikes me more as a wannabe standard than an actual standard.

Reedy added a comment.Feb 19 2018, 11:24 AM

Indeed, I did say it was a draft ;) - https://tools.ietf.org/html/draft-foudil-securitytxt-03

I'm still amused/confused how people ("security researchers") find the OTRS emails to send to, but don't try or know of security@domain

Seton subscribed.Feb 22 2018, 4:20 AM
revi subscribed.Mar 13 2018, 7:12 AM
srodlund moved this task from Backlog to Completed, Blocked, Wrong Category, Refinement Needed, or Older Needs Review on the Documentation board.Aug 17 2018, 6:42 PM
chasemp edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 3:30 PM
Chicocvenancio subscribed.Feb 28 2019, 1:32 PM
Peachey88 added a comment.Nov 29 2019, 9:54 AM

Security.txt seems to be gaining a bit more traction
USG: https://twitter.com/GossiTheDog/status/1199785508483801088
Shodan: https://twitter.com/GossiTheDog/status/1199807007219474432

Bawolff awarded a token.Nov 29 2019, 9:55 AM
DannyS712 awarded a token.Nov 29 2019, 11:02 AM
DannyS712 subscribed.
chasemp triaged this task as Low priority.Dec 9 2019, 5:10 PM
chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
chasemp closed this task as Declined.Feb 20 2020, 9:12 PM
toan subscribed.Sep 27 2021, 6:44 AM
Peachey88 merged a task: T297281: Security.txt.Dec 8 2021, 12:23 PM
Peachey88 added a subscriber: Hyphen.
PerfektesChaos subscribed.Dec 8 2021, 12:34 PM

I think it should be reconsidered every couple of years.

  • It needs to be investigated whether this is common practice today and we should provide that. Basically also a “webmaster” is to be contacted somehow.
  • The individual wiki page is not affected, but a single file per WMF subdomain or just domain could be accessed which may all be redirected to the one and only definition specifying an e-mail address and perhaps Phabricator security report procedure.
  • If we could improve security at low cost which is quite easy to maintain we should do that one day. If security detection bots are expecting such URL we might serve; if not commonly used we can postpone it some years agein.
Reedy added a comment.Dec 8 2021, 2:51 PM

While I’m not necessarily opposed, it’s still only a “proposed standard”.

PerfektesChaos added a comment.Dec 8 2021, 7:18 PM

Yeah, in January 2020 it has been made a step forward by closing the call for comments.

As long as there are no listeners we do not need to shout.

However, for external detectives it is not obvious to understand how a Phabricator Security Bug is to be filed when discovering bad things in Chinese Wikisource.

Since it is no big deal to let a common guide occur on major WMF domains we might provide that in 2022, or reconsider again. We are at top 10 websites in the world and could act as a role model.

taavi subscribed.Dec 8 2021, 7:20 PM
Reedy added a comment.Dec 8 2021, 7:29 PM

As another “standard” emailing security@ works fine for many people.

Reedy mentioned this in T337949: Add security.txt to Wikimedia sites? (2023 edition).Jun 1 2023, 3:19 PM
RhinosF1 subscribed.Jun 1 2023, 3:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL