[
https://issues.apache.org/jira/browse/MNGSITE-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645656#comment-17645656
]
ASF GitHub Bot commented on MNGSITE-503:
----------------------------------------
bmarwell commented on code in PR #354:
URL: https://github.com/apache/maven-site/pull/354#discussion_r1045125369
##########
content/filtered-resources/.well-known/security.txt:
##########
@@ -0,0 +1,6 @@
+Contact: mailto:secur...@apache.org
+Contact: mailto:priv...@maven.apache.org
+Expires: ${maven.build.timestamp}
+Preferred-Languages: en
+Policy: https://www.apache.org/security/
+Policy: https://maven.apache.org/security.html
Review Comment:
> This one does not point to any policy. Just to a listing w/o any benefit
for a potentional reporter.
Are you reading the spec at all? Or just posting random comments?
> A link to a policy detailing what security researchers should do when
searching for or reporting security issues.
https://www.rfc-editor.org/rfc/rfc9116#section-2.5.7
Both pages contain useful information for security researchers: email
addresses, disclosure policy, etc.
> add .well-known/security.txt
> ----------------------------
>
> Key: MNGSITE-503
> URL: https://issues.apache.org/jira/browse/MNGSITE-503
> Project: Maven Project Web Site
> Issue Type: Improvement
> Reporter: Benjamin Marwell
> Assignee: Benjamin Marwell
> Priority: Major
> Labels: security
>
> As per consensus on the mailing list (+1 from [~rmannibucau] and me), we
> should add a file `.well-known/security.txt`.
> I will prepare a PR.
> References:
> * [.well-known/security.txt at maven.apache.org
> (mail-archive.com)|https://www.mail-archive.com/dev@maven.apache.org/msg128366.html]
> * [.well-known/security.txt at maven.apache.org-Apache Mail
> Archives|https://lists.apache.org/thread/tvfg1lx9nd72c9t4t4s3zlx6l0tpnmwy]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
