-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs(frontend): add security.txt #2252
base: main
Are you sure you want to change the base?
Conversation
Security.txt is a well-known (pun intended) file among security researchers, so they don't have to go scavenging for your security information. More information is available on [securitytxt.org](https://securitytxt.org/). I've set the following values: - The email to contact with issues, `jai@modrinth.com`. This is the email stated in the security policy. If you wish to not include it here due to spam, you should also not have it as a `mailto` link in the security policy. - Expiry is set to 2030. By this time Modrinth has become the biggest Minecraft mod distributor, and having expanded into other games. By this time they should also have updated this file. - English is the preferred language - The file is located at modrinth.com/.well-known/security.txt - The security policy is at https://modrinth.com/legal/security The following values have been left unset: - PGP key, not sure where this would be located, if there is one - Acknowledgments. Modrinth does currently not have a site for thanks - Hiring, as it wants security-related positions - CSAF, a Common Security Advisory Framework ?
|
This addresses a concern where the security.txt has a long expiration date. Someone could treat this as "use this until then", which we don't want since it's a long time. The specification recommends no longer than one year, as it is to mark as stale. From the RFC: > The "Expires" field indicates the date and time after which the data contained in the "security.txt" file is considered stale and should not be used (as per Section 5.3). The value of this field is formatted according to the Internet profiles of [ISO.8601-1] and [ISO.8601-2] as defined in [RFC3339]. It is RECOMMENDED that the value of this field be less than a year into the future to avoid staleness. Signed-off-by: Erb3 <49862976+Erb3@users.noreply.github.com>
generally this would be signed with a gpg signature belonging to the modrinth team that can be used for communication. additionally, modrinth already has a security police on their website and security.md, so those should be standardized |
That's true, but also outside of my power. I'm also not sure how useful this would be? Whilst we want Modrinth to be secure, and that's important, nobody other than Jai should have access to
I'm not sure what you mean by "standardized"? I am already linking to the policy. There is also no security.md that I could find, besides ones linking to the policy on the website? |
Security.txt is a well-known (pun intended) file among security researchers, so they don't have to go scavenging for your security information. More information is available on securitytxt.org.
I've set the following values:
jai@modrinth.com
.The following values have been left unset: