Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(frontend): add security.txt #2252

Open
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

Erb3
Copy link
Contributor

@Erb3 Erb3 commented Aug 22, 2024

Security.txt is a well-known (pun intended) file among security researchers, so they don't have to go scavenging for your security information. More information is available on securitytxt.org.

I've set the following values:

The following values have been left unset:

  • PGP key, not sure where this would be located, if there is one
  • Acknowledgments. Modrinth does currently not have a site where they thank reporters
  • Hiring, as it wants security-related positions, and Modrinth isn't really hiring right now afaik
  • CSAF, a Common Security Advisory Framework ?

Security.txt is a well-known (pun intended) file among security researchers, so they don't have to go scavenging for your security information. More information is available on [securitytxt.org](https://securitytxt.org/).

I've set the following values:

- The email to contact with issues, `jai@modrinth.com`. This is the email stated in the security policy. If you wish to not include it here due to spam, you should also not have it as a `mailto` link in the security policy.
- Expiry is set to 2030. By this time Modrinth has become the biggest Minecraft mod distributor, and having expanded into other games. By this time they should also have updated this file.
- English is the preferred language
- The file is located at modrinth.com/.well-known/security.txt
- The security policy is at https://modrinth.com/legal/security

The following values have been left unset:

- PGP key, not sure where this would be located, if there is one
- Acknowledgments. Modrinth does currently not have a site for thanks
- Hiring, as it wants security-related positions
- CSAF, a Common Security Advisory Framework ?
@Erb3 Erb3 changed the title feat: add security.txt docs(frontend): add security.txt Aug 22, 2024
@Erb3
Copy link
Contributor Author

Erb3 commented Aug 22, 2024

CI failure unrelated to PR, fixed in #2296

This addresses a concern where the security.txt has a long expiration date. Someone could treat this as "use this until then", which we don't want since it's a long time. The specification recommends no longer than one year, as it is to mark as stale.

From the RFC:

> The "Expires" field indicates the date and time after which the data contained in the "security.txt" file is considered stale and should not be used (as per Section 5.3). The value of this field is formatted according to the Internet profiles of [ISO.8601-1] and [ISO.8601-2] as defined in [RFC3339]. It is RECOMMENDED that the value of this field be less than a year into the future to avoid staleness.

Signed-off-by: Erb3 <49862976+Erb3@users.noreply.github.com>
@pauliesnug
Copy link

generally this would be signed with a gpg signature belonging to the modrinth team that can be used for communication. additionally, modrinth already has a security police on their website and security.md, so those should be standardized

@Erb3
Copy link
Contributor Author

Erb3 commented Aug 22, 2024

generally this would be signed with a gpg signature belonging to the modrinth team that can be used for communication.

That's true, but also outside of my power. I'm also not sure how useful this would be? Whilst we want Modrinth to be secure, and that's important, nobody other than Jai should have access to jai@modrinth.com. I can't imagine any attacker going out of their way to intercept those emails, instead of just... looking for vulnerabilities?

additionally, modrinth already has a security police on their website and security.md, so those should be standardized

I'm not sure what you mean by "standardized"? I am already linking to the policy. There is also no security.md that I could find, besides ones linking to the policy on the website?

@Erb3 Erb3 requested a review from brawaru September 15, 2024 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants