Comments (3)
An updated example: Facebook's security.txt currently has both Policy fields, with a comment explaining each one.
Contact: https://www.facebook.com/whitehat/report/
Acknowledgments: https://www.facebook.com/whitehat/thanks/
Hiring: https://www.facebook.com/careers/teams/security/
# Found a bug? Our bug bounty policy:
Policy: https://www.facebook.com/whitehat/info/
# What we do when we find a bug in another product:
Policy: https://www.facebook.com/security/advisories/Vulnerability-Disclosure-Policy
Expires: Thu, 20 May 2021 10:35:20 -0700
from security-txt.
What percent of large organizations have more than one policy such as in the example above?
from security-txt.
I agree with @cqueern . This may not apply to the majority of organizations. However, it is still an interesting suggestion. There are also companies (such as Cisco, Google, etc.) that have security research teams that also report vulnerabilities externally and have a separate policy for that function. For example:
- The traditional Security Vulnerability Policy: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html
- and Cisco Talos Vendor Vulnerability Reporting and Disclosure Policy:
https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html
The problem may be differentiating between both (i.e., from a tool perspective, which one should I pick for the specific use case?). This is probably where a more well defined JSON schema may be better suited for this.
from security-txt.
Related Issues (20)
- Defer file systems work to future date HOT 3
- Aligning ISO and CERT language with the draft
- Consider clarifying whether Encryption should point directly to the key HOT 1
- Example of a signed "security.txt" file Header is Missing Hyphen HOT 1
- detached signatures (allow multiple people to sign the security.txt)
- Should the datetimes use an ISO8601 profile? HOT 2
- Add a link to the human and machine readable security advisories HOT 7
- Permitted values of Acknowledgments field? HOT 3
- Review my security.txt HOT 4
- Use /.well-known/humans.txt URI instead? HOT 1
- Scope field HOT 9
- Specify allowed encryption schemes HOT 15
- This project appears dead, should someone fork it? HOT 3
- SSH signatures as an alternative to OpenPGP ones HOT 3
- Clarification for Canonical field HOT 2
- @sirathampitak
- Checksum, hashing and notification HOT 2
- A simple field that company can use to share about the last security-related update being introduced ? HOT 4
- a one-off annual cycle check is impossible within exactly one year
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-txt.