In terms of security.txt we have a default one that gets inherited by all ASF projects, i.e. https://github.com/apache/tomcat?tab=security-ov-file#readme This comes from https://github.com/apache/.github/blob/main/.github/SECURITY.md
(The catalyst for this was the OpenSSF scorecards which highlight projects that do not have them) Regards, Mark On Thu, Oct 10, 2024 at 5:14 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > All, > > I've been making some notes starting with the Tomcat Security Day in > Bratislava and continuing through the TTX @ Denver as well as > presentations by Jarek and others about security posture, incident > response, etc. > > I'd like to be able to offer my own expertise and experience to any > project interested in improving their security posture. These are in > order roughly by LOE from easiest to hardest. > > • Canned responses to issues (?) > • security.txt > • Dedicated security team (secur...@project.apache.org) > ◦ Reduce security@ and private@ where appropriate/possible > • Create and document detailed incident response > ◦ Including key contacts and contact information > • Disable inherently insecure features > • Documented release process > • Documented security / threat model(s) > • Reproducible builds > • Automated release process > • SBOMs > • Harden CI workflows (?) > > The (?) items came directly from Jarek's talk yesterday and I dind't > have time to discuss with him what exactly they meant. "Canned > responses" seemed straightforward to me but "Harden CI workflows" was > less clear. > > Comments are certainly appreciated. > > -chris > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
