Add security.txt file #5359

daniel-beck · 2022-08-10T08:49:30Z

See https://securitytxt.org/

The expiration date is mandatory and a bit annoying. Options:

Currently implemented: Yearly expiration date we need to keep updating.
Date far in the future so we don't need to care at the risk of keeping obsolete data "in caches"
Automatically generate this field on site generation to be a few months into the future. Might be annoying given the workaround we're already applying to make .well-known/ work.

Thoughts?

dduportal · 2022-08-10T11:25:17Z

Make a lot of sense, thanks Daniel!

I got 2 questions (non blocking):

About the date renewal, WDYT about a process that would open a PR with a new date once or twice a year (or more frequently?). That would act as an automatic and no-brainer reminder to ask ourselves "are these informations still up to date" ?
Do you feel we should apply the same security.txt to other websites (such as updates.jenkins.io, get.jenkins.io, etc.)?

MarkEWaite · 2022-08-10T12:08:16Z

I like it. I don't mind updating the expiration date once a year with a pull request created by a human being. It shows that someone considered if the referenced pages are current and complete.

What if we extended the Jenkinsfile with a script that marks the build unstable when we are within a month of expiration? It currently checks for typos as one of the stages on ci.jenkins.io.

dduportal · 2022-08-10T12:21:00Z

with a pull request created by a human being

I though an automated PR (e.g. with updatecli or renovabot or even cron trigger) which does all the trick (to ensure that the date format is kept: I do not trust humans for date formats), but requires a human approval.

content/.well-known/security.txt

StackScribe · 2024-12-04T00:30:50Z

This looks something we might be able to finish off and merge.

content/.well-known/security.txt

Co-authored-by: Meg McRoberts <meg.mcroberts@dynatrace.com>

Wadeck

thanks for the initiative

Wadeck · 2024-12-04T09:04:53Z

content/.well-known/security.txt

+
+Expires: 2026-01-01T00:00:00.000Z
+Canonical: https://www.jenkins.io/.well-known/security.txt
+Policy: https://www.jenkins.io/security/reporting/


Suggested change

Policy: https://www.jenkins.io/security/reporting/

Policy: https://www.jenkins.io/security/reporting/

Policy: https://github.com/jenkinsci/docker/blob/master/SECURITY.md

adding the policy specific to CVEs reporting

Actual link is

Suggested change

Policy: https://www.jenkins.io/security/reporting/

Policy: https://www.jenkins.io/security/reporting/

Policy: https://github.com/jenkinsci/docker/security/policy

gounthar · 2024-12-04T09:31:36Z

Just as a precaution, I have an updatecli manifest designed to keep the expiration date current. As we approach the final month before expiration, it will automatically create a PR to extend the date by one year into the future.

Add security.txt file

38e2a80

daniel-beck requested a review from Wadeck August 10, 2022 08:49

infra-ci-jenkins-io bot deployed to preview August 10, 2022 08:59 View deployment

Add workaround for Awestruct ignoring . prefixed directories

374a745

infra-ci-jenkins-io bot deployed to preview August 10, 2022 09:16 View deployment

infra-ci-jenkins-io bot deployed to preview March 24, 2023 18:40 View deployment

infra-ci-jenkins-io bot deployed to preview July 30, 2024 19:05 View deployment

infra-ci-jenkins-io bot deployed to preview August 1, 2024 09:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 1, 2024 13:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 1, 2024 17:24 View deployment

infra-ci-jenkins-io bot deployed to preview August 5, 2024 07:24 View deployment

infra-ci-jenkins-io bot deployed to preview August 5, 2024 21:23 View deployment

infra-ci-jenkins-io bot deployed to preview August 6, 2024 11:23 View deployment

infra-ci-jenkins-io bot deployed to preview August 7, 2024 13:23 View deployment

infra-ci-jenkins-io bot deployed to preview August 7, 2024 15:25 View deployment

infra-ci-jenkins-io bot deployed to preview August 7, 2024 19:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 7, 2024 21:23 View deployment

infra-ci-jenkins-io bot deployed to preview August 8, 2024 19:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 12, 2024 05:23 View deployment

infra-ci-jenkins-io bot deployed to preview August 13, 2024 14:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 19, 2024 04:24 View deployment

infra-ci-jenkins-io bot deployed to preview August 19, 2024 15:55 View deployment

infra-ci-jenkins-io bot deployed to preview August 20, 2024 15:52 View deployment

infra-ci-jenkins-io bot deployed to preview August 20, 2024 19:52 View deployment

infra-ci-jenkins-io bot deployed to preview August 21, 2024 14:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 21, 2024 16:23 View deployment

infra-ci-jenkins-io bot deployed to preview August 22, 2024 14:54 View deployment

infra-ci-jenkins-io bot deployed to preview December 3, 2024 01:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 3, 2024 09:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 3, 2024 15:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 3, 2024 21:50 View deployment

StackScribe reviewed Dec 4, 2024

View reviewed changes

content/.well-known/security.txt Outdated Show resolved Hide resolved

StackScribe reviewed Dec 4, 2024

View reviewed changes

content/.well-known/security.txt Outdated Show resolved Hide resolved

daniel-beck commented Dec 4, 2024

View reviewed changes

content/.well-known/security.txt Outdated Show resolved Hide resolved

Apply suggestions from code review

d436a7a

Co-authored-by: Meg McRoberts <meg.mcroberts@dynatrace.com>

infra-ci-jenkins-io bot deployed to preview December 4, 2024 08:44 View deployment

daniel-beck and others added 2 commits December 4, 2024 09:58

Update Expires

43fb6fb

Merge branch 'master' into security.txt

7f3841d

Wadeck approved these changes Dec 4, 2024

View reviewed changes

infra-ci-jenkins-io bot deployed to preview December 4, 2024 09:11 View deployment

infra-ci-jenkins-io bot deployed to preview December 4, 2024 18:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 4, 2024 20:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 4, 2024 22:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 5, 2024 18:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 8, 2024 07:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 8, 2024 09:52 View deployment

infra-ci-jenkins-io bot deployed to preview December 9, 2024 07:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 9, 2024 09:52 View deployment

infra-ci-jenkins-io bot deployed to preview December 9, 2024 18:52 View deployment

infra-ci-jenkins-io bot deployed to preview December 10, 2024 14:53 View deployment

infra-ci-jenkins-io bot deployed to preview December 11, 2024 04:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 11, 2024 18:50 View deployment

infra-ci-jenkins-io bot deployed to preview December 11, 2024 22:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 13, 2024 20:51 View deployment

infra-ci-jenkins-io bot deployed to preview December 13, 2024 22:51 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add security.txt file #5359

Add security.txt file #5359

daniel-beck commented Aug 10, 2022 •

edited

Loading

dduportal commented Aug 10, 2022

MarkEWaite commented Aug 10, 2022

dduportal commented Aug 10, 2022

StackScribe commented Dec 4, 2024

Wadeck left a comment

Wadeck Dec 4, 2024 •

edited

Loading

daniel-beck Dec 4, 2024

gounthar commented Dec 4, 2024

	Policy: https://www.jenkins.io/security/reporting/
	Policy: https://www.jenkins.io/security/reporting/
	Policy: https://github.com/jenkinsci/docker/blob/master/SECURITY.md

Add security.txt file #5359

Are you sure you want to change the base?

Add security.txt file #5359

Conversation

daniel-beck commented Aug 10, 2022 • edited Loading

dduportal commented Aug 10, 2022

MarkEWaite commented Aug 10, 2022

dduportal commented Aug 10, 2022

StackScribe commented Dec 4, 2024

Wadeck left a comment

Choose a reason for hiding this comment

Wadeck Dec 4, 2024 • edited Loading

Choose a reason for hiding this comment

daniel-beck Dec 4, 2024

Choose a reason for hiding this comment

gounthar commented Dec 4, 2024

daniel-beck commented Aug 10, 2022 •

edited

Loading

Wadeck Dec 4, 2024 •

edited

Loading