From 727b00855ee691a96b7f97793bb86b42a5834fde Mon Sep 17 00:00:00 2001 From: Erb3 <49862976+Erb3@users.noreply.github.com> Date: Thu, 22 Aug 2024 17:30:32 +0200 Subject: [PATCH 1/2] feat: add security.txt Security.txt is a well-known (pun intended) file among security researchers, so they don't have to go scavenging for your security information. More information is available on [securitytxt.org](https://securitytxt.org/). I've set the following values: - The email to contact with issues, `jai@modrinth.com`. This is the email stated in the security policy. If you wish to not include it here due to spam, you should also not have it as a `mailto` link in the security policy. - Expiry is set to 2030. By this time Modrinth has become the biggest Minecraft mod distributor, and having expanded into other games. By this time they should also have updated this file. - English is the preferred language - The file is located at modrinth.com/.well-known/security.txt - The security policy is at https://modrinth.com/legal/security The following values have been left unset: - PGP key, not sure where this would be located, if there is one - Acknowledgments. Modrinth does currently not have a site for thanks - Hiring, as it wants security-related positions - CSAF, a Common Security Advisory Framework ? --- apps/frontend/src/public/.well-known/security.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 apps/frontend/src/public/.well-known/security.txt diff --git a/apps/frontend/src/public/.well-known/security.txt b/apps/frontend/src/public/.well-known/security.txt new file mode 100644 index 000000000..12b44e712 --- /dev/null +++ b/apps/frontend/src/public/.well-known/security.txt @@ -0,0 +1,5 @@ +Contact: mailto:jai@modrinth.com +Expires: 2030-01-01T00:00:00.000Z +Preferred-Languages: en +Canonical: https://modrinth.com/.well-known/security.txt +Policy: https://modrinth.com/legal/security From 414bcaf34852788417d91bcd9f377f42829ffef0 Mon Sep 17 00:00:00 2001 From: Erb3 <49862976+Erb3@users.noreply.github.com> Date: Thu, 22 Aug 2024 19:10:51 +0200 Subject: [PATCH 2/2] fix(docs): reduce security.txt expiry This addresses a concern where the security.txt has a long expiration date. Someone could treat this as "use this until then", which we don't want since it's a long time. The specification recommends no longer than one year, as it is to mark as stale. From the RFC: > The "Expires" field indicates the date and time after which the data contained in the "security.txt" file is considered stale and should not be used (as per Section 5.3). The value of this field is formatted according to the Internet profiles of [ISO.8601-1] and [ISO.8601-2] as defined in [RFC3339]. It is RECOMMENDED that the value of this field be less than a year into the future to avoid staleness. Signed-off-by: Erb3 <49862976+Erb3@users.noreply.github.com> --- apps/frontend/src/public/.well-known/security.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/frontend/src/public/.well-known/security.txt b/apps/frontend/src/public/.well-known/security.txt index 12b44e712..c9483bfb6 100644 --- a/apps/frontend/src/public/.well-known/security.txt +++ b/apps/frontend/src/public/.well-known/security.txt @@ -1,5 +1,5 @@ Contact: mailto:jai@modrinth.com -Expires: 2030-01-01T00:00:00.000Z +Expires: 2025-06-01T00:00:00.000Z Preferred-Languages: en Canonical: https://modrinth.com/.well-known/security.txt Policy: https://modrinth.com/legal/security