security.txt

最近開始有人在討論「security.txt」這個標準了,可以在「A Method for Web Security Policies」這邊看到 draft。

想法其實類似於 robots.txt

# Our security address
Contact: security@example.com

# Our PGP key
Encryption: https://example.com/pgp-key.txt

# Our disclosure policy
Disclosure: Full

以往的方式是透過 WHOIS 或是 DNS 的 SOA 欄位來聯絡,或是直接寄到 security@domain,現在這個架構就多了一套方法,是好是壞不曉得...

Leave a Reply

Your email address will not be published. Required fields are marked *