I assumed security.txt refers to https://securitytxt.org/ https://datatracker.ietf.org/doc/html/rfc9116
https://apache.org/.well-known/security.txt I might be wrong. Mark J Cox <m...@apache.org> schrieb am Do., 10. Okt. 2024, 19:03: > In terms of security.txt we have a default one that gets inherited by all > ASF projects, i.e. > https://github.com/apache/tomcat?tab=security-ov-file#readme > This comes from > https://github.com/apache/.github/blob/main/.github/SECURITY.md > > (The catalyst for this was the OpenSSF scorecards which highlight projects > that do not have them) > > Regards, Mark > > > On Thu, Oct 10, 2024 at 5:14 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > All, > > > > I've been making some notes starting with the Tomcat Security Day in > > Bratislava and continuing through the TTX @ Denver as well as > > presentations by Jarek and others about security posture, incident > > response, etc. > > > > I'd like to be able to offer my own expertise and experience to any > > project interested in improving their security posture. These are in > > order roughly by LOE from easiest to hardest. > > > > • Canned responses to issues (?) > > • security.txt > > • Dedicated security team (secur...@project.apache.org) > > ◦ Reduce security@ and private@ where appropriate/possible > > • Create and document detailed incident response > > ◦ Including key contacts and contact information > > • Disable inherently insecure features > > • Documented release process > > • Documented security / threat model(s) > > • Reproducible builds > > • Automated release process > > • SBOMs > > • Harden CI workflows (?) > > > > The (?) items came directly from Jarek's talk yesterday and I dind't > > have time to discuss with him what exactly they meant. "Canned > > responses" seemed straightforward to me but "Harden CI workflows" was > > less clear. > > > > Comments are certainly appreciated. > > > > -chris > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > security-discuss-unsubscr...@community.apache.org > > For additional commands, e-mail: > > security-discuss-h...@community.apache.org > > > > >
