security.txt files (https://securitytxt.org/) are getting popular these days and I think they are fairly useful in reducing friction in reporting security problems.
I think putting such a file on nodejs.org Web site would not hurt. What do you think about generating and uploading such a file on the Web site?
Yes, this needs to be done imo.
/cc @nodejs/website @nodejs/security.
That's a great idea.
I love it. Curious how widely used security.txt is in production?
@bnb That's relatively new, but it's emerging pretty fast. Also:
+1 for security.txt. I think it could look like this -
Contact: [email protected]
Policy: https://nodejs.org/en/security/
Contribute: https://github.com/nodejs/security-wg :)
Although it is supposed to be in the /.well-known path, it would be great to create an alias to put it in the root as well (just like robots.txt). Facebook has done it too (https://www.facebook.com/security.txt).
The spec actually recommends the redirect from the root to /.well-known:
https://tools.ietf.org/html/draft-foudil-securitytxt-03#section-4.1
PR nodejs/nodejs.org#1589 submitted against the Node.js Web site repo.
The PR 鈽濓笍has been merged. We now need the PR to update NGINX configuration to be merged: nodejs/build#1181.
Both PRs have been merged, the file has been up on the site for some time now and all seems to be working fine. Closing.
Most helpful comment
@bnb That's relatively new, but it's emerging pretty fast. Also: