WingNews logo WingNews
top | item 21768521

(no title)

disconnected | 6 years ago

This seems like a really poorly thought out proposal.

From the draft's [1] intro, which provides motivation for the proposal:

> When security vulnerabilities are discovered by independent security researchers, they often lack the channels to report them properly [...]

Occam's Razor: they lack the channel to report those vulnerabilities because the company doesn't give a damn about security, not because of some hitherto unsolved technical difficulty.

Companies that give a damn about security already have either a "catch-all" contact for security related things displayed on their contacts page, or have dedicated pages detailing what the hell you are supposed to do to report a vulnerability. Companies that don't give a damn will continue to not give a damn and will ignore your document, and will continue to suck at security until someone starts punishing them - monetarily - for such appalling behavior.

But let's leave that aside for a moment. Researchers spot vulnerabilities. Need a way to report them. So what's the solution?

Apparently, a text file with only one mandatory field...

> 3.5.3. Contact

> This directive indicates an address that researchers should use for reporting security vulnerabilities. The value MAY be an email address, a phone number and/or a web page with contact information.

...which contains... er... a catch-all contact for security related things and or a link to a contacts page detailing exactly what the hell you are supposed to do to report a vulnerability? sigh...

But the real kicker is that that the standard doesn't even require that the contact information is up to date or valid:

> 6.2. Incorrect or Stale Information

> [...] Organizations SHOULD ensure that information in this file and any referenced resources such as web pages, email addresses and telephone numbers are kept current, are accessible, controlled by the organization, and are kept secure.

In case the meaning of "SHOULD" is in question see RFC 2119 [2], but basically, they "strongly recommend" that you keep your contact information up to day - instead of, I dunno, REQUIRING it, since having a channel to properly report security vulnerabilities is the ENTIRE POINT of this exercise?

/facepalm

Are we really supposed to take this seriously? This is simply security theater.

[1] https://tools.ietf.org/html/draft-foudil-securitytxt-08

[2] https://www.ietf.org/rfc/rfc2119.txt

discuss

order

velosol|6 years ago

Isn't this part of why postmaster and abuse addresses exist? Perhaps a WHOIS entry that was specifically for security issues?