Add support for security.txt

Release notes

Organizations can facilitate the responsible disclosure of security issues by providing public contact information. The standard way to do this is by using a security.txt file present at https://YOUR_WEBSITE/.well-known/security.txt.

See https://securitytxt.org/

Problem to solve

GitLab.com does not have a security.txt file at the /.well-known location
- It does have https://gitlab.com/gitlab-org/gitlab/-/blob/master/security.txt, which is what we'd put in the GitLab.com application setting if this feature exists
- As an example, https://findsecuritycontacts.com/query/gitlab.com looks at https://gitlab.com/security.txt which is a user's profile 🙄
- Our competitors do:
GitLab self-managed administrators do not have a native feature to communicate a security.txt file for their instance
Security researchers who discover security issues with GitLab.com or GitLab self-managed instances might not know who to contact
- GitLab's Support and AppSec teams occassionally get reports about instances that do not belong to GitLab; this might ameliorate that issue

Proposal

Allow Administrators to provide content which will be rendered at https://YOUR_INSTANCE/.well-known/security.txt
Make it an instance level administration setting
Return a 404 if the value is blank; this is consistent with the current behavior where the feature does not yet exist

Intended users

Any of the following personas are likely to use this feature:

Cameron (Compliance Manager)
- Providing security contact information is part of various security frameworks or directives; therefore Cameron is most likely to need this feature
- This is why I chose Category:Compliance Management as the closest fit
Alex (Security Operations Engineer)
Amy (Application Security Engineer)
- Alex and Amy are most likely to run a vulnerability disclosure process and/or be on the receiving end of a security issue report. They are likely to be involved in the use of this feature
Isaac (Infrastructure Engineer)
Sidney (Systems Administrator)
- In smaller organisations without dedicated security roles, it might be Isaac or Sidney who configure this

Feature Usage Metrics

There is no plan to track the usage of this feature.

Does this feature require an audit event?

No - only Administrators can change this setting, and it is not a significant setting.

Example `security.txt` files

See https://findsecuritycontacts.com/only-valid

The longest I found in a very non-exhaustive search was 1188 characters (below). Most others were much shorter.

1188 chars https://www.pro.wiki/.well-known/security.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Contact: mailto:info@professional.wiki
Expires: 2024-04-30T00:00:00.000Z
Preferred-Languages: en, de
Encryption: https://pgp.mit.edu/pks/lookup?op=get&search=0x17362FF02F3D9488
Canonical: https://www.pro.wiki/.well-known/security.txt
Signed by: https://keybase.io/kghbln
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.1.13
Comment: https://keybase.io/crypto

wsFcBAABCgAGBQJkTYQtAAoJEDMjjpRlYjHnhP8P/AhbbfSZtzaE6wWDQRrEAO4v
QVb6v0eJzFKfa8znsVhwJLIeJBZAxiZoJ8AOb2E/+T+bcKaBWgg9v3TuWwUWJ+yW
2NIFXfopY2/6QyYlswZl9XSK5xVm2vGR+ZRwo54CfNnI4k4VQqLx9TiVpD/3AuZl
t5vrW43pgDacDsk/Ke9q4U5Nk2LhaB/aJ/b9pRtsxxdt2a5/lP28IMJbSHr8/tSy
dXsbOTnw6bqVFoXKl0VwqL4Nr2AYezWyw/JqXckf2fJ3Fk7iwcSkMXd7gAY9mWAX
JQGrWw2FAu/mLfm94+YjHopQ1m3tI7y/6krGUouVJy/qq0y3k1Rhx1uCu9Tx9687
whaHhZwJWGZLiZURPZIB2Jxet//SlL+dSfV3WDuKRD1OQQuD6LsXsYAiR0emGpEY
1VnzCrNYvN28zxTj4G6vNNgaCgFGnClUnvTP/vScsJUci6WNCpaecnybQ7dMnALE
frnyWksxPbX/Ji+nv9qodY/fUGIhgfAloqZ57DKHhJrk1Dc/cpNa7yEr9cEx/fQO
6hW+Taj+3h85TE8ETBCfpa9S8UAJAeuZStka/HWLAV8tIxxZ1fMwPQPdQPN2d0ZB
FNYaz6i8RQ7GHwZYg73S2oFaVBjlJBSWoHfjspk9lHEoKI8/I0qgytodPASf1TZ4
1ZR4KR/S2A2paJ60mK3m
=y0PC
-----END PGP SIGNATURE-----

Click to expand

545 chars https://securitytxt.org/.well-known/security.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Contact: https://hackerone.com/ed
Expires: 2024-03-14T00:00:00.000Z
Acknowledgments: https://hackerone.com/ed/thanks
Preferred-Languages: en, fr, de
Canonical: https://securitytxt.org/.well-known/security.txt
Policy: https://hackerone.com/ed?type=team&view_policy=true
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSsP2kEdoKDVFpSg6u3rK+YCkjapwUCY9qRaQAKCRC3rK+YCkja
pwALAP9LEHSYMDW4h8QRHg4MwCzUdnbjBLIvpq4QTo3dIqCUPwEA31MsEf95OKCh
MTHYHajOzjwpwlQVrjkK419igx4imgk=
=KONn
-----END PGP SIGNATURE-----

1135 chars https://www.bbc.com/.well-known/security.txt

# version: 4403f41be87d6cb38111c86f6625163ee8871794
# British Broadcasting Corporation - reporting security vulnerabilities to the BBC
  
# Please report any security vulnerabilities to us via the contact method(s) below, only after reading our disclosure policy.
# Please do not include any sensitive information in your initial message, we'll provide a secure communication method in our reply to you.
Contact: mailto:security@bbc.co.uk
 
# Our disclosure policy. By submitting a potential security incident to us, you are implicitly accepting these terms - please read this before submitting:
Policy: https://www.bbc.com/backstage/security-disclosure-policy/

# We're continually recruiting, please visit the link below and search for "information security" if you're interested in a career with the BBC in infosec
https://careers.bbc.co.uk/search/

Expires: 2038-01-19T03:14:07Z

# The BBC SOC does have some folks who speak languages other than English, however coverage isn't guaranteed for anything other than English
Preferred-Languages: en
  
# Please see https://securitytxt.org/ for details of the specification of this file

981 chars https://www.usaa.com/.well-known/security.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# USAA Secure Vulnerability Disclosure 
Contact: https://bugcrowd.com/usaa/report
Contact: mailto:disclosure@usaa.com
Encryption: https://www.usaa.com/gpg_disclosure_public.txt
Acknowledgments: https://bugcrowd.com/usaa/hall-of-fame
Preferred-Languages: en
Canonical: https://www.usaa.com/.well-known/security.txt
Policy: https://bugcrowd.com/usaa
Hiring: https://www.usaajobs.com/search-jobs/information%20security/
-----BEGIN PGP SIGNATURE-----

iQFIBAEBCAAyFiEEEufUcCHWfmL4kdJ+W1517GQFJfcFAl5DFZ4UHGRpc2Nsb3N1
cmVAdXNhYS5jb20ACgkQW1517GQFJfe2qQf/W1R/kVSQCzXcBmeyDMlZVtdoyTfW
rXXMY+WlQDLiVNXEX+jJAJzL30zAf9THV7k6rtU9Z/eMlOOfs1aQpmP2vD2wUVsL
WuIwNX3yf0FT6r3lTPojdfe4+LAY2GwXU9hoBaISLslieNXa/EwtOPcNx8KGB9jR
yj+hPy2C2EZVe87TLgOUVEabhrL4rJx7us7K5rqrkqhzuykrfXQYeRBRrF/hevJe
BV5I2CBEEsUd0ObuqkTWbyP4HjaSgL12sSbm4zUEZjYMdfd7jtqd13C1mvN3wTU3
GVxMOHveeGADj3lM82RExPO9RiiUYNo9VO+uA8RjuDHnQIjDd81IIl2Jbw==
=CO2N
-----END PGP SIGNATURE-----

433 chars https://www.facebook.com/.well-known/security.txt

Contact: https://www.facebook.com/whitehat/report/
Acknowledgments: https://www.facebook.com/whitehat/thanks/
Hiring: https://www.facebook.com/careers/teams/security/

# Found a bug? Our bug bounty policy:
Policy: https://www.facebook.com/whitehat/info/

# What we do when we find a bug in another product:
Policy: https://www.facebook.com/security/advisories/Vulnerability-Disclosure-Policy

Expires: Fri, 29 Dec 2023 15:21:19 -0800

278 chars https://github.com/.well-known/security.txt

Contact: https://hackerone.com/github
Acknowledgments: https://hackerone.com/github/hacktivity
Preferred-Languages: en
Canonical: https://github.com/.well-known/security.txt
Policy: https://bounty.github.com
Hiring: https://github.com/about/careers
Expires: 2023-12-29T23:21:20z

438 chars https://vdp.cabinetoffice.gov.uk/.well-known/security.txt

Policy: https://www.gov.uk/help/report-vulnerability

Contact: https://hackerone.com/44c348eb-e030-4273-b445-d4a2f6f83ba8/embedded_submissions/new
Contact: https://www.gov.uk/contact/govuk

Acknowledgments: https://vdp.cabinetoffice.gov.uk/thanks.txt

Hiring: https://www.civilservicejobs.service.gov.uk/

Last-Updated: 2023-10-17 13:04:49+00:00
Expires: 2024-01-17 13:04:49+00:00

# Generated at: https://github.com/alphagov/security.txt

245 chars https://www.google.com/.well-known/security.txt

Contact: https://g.co/vulnz
Contact: mailto:security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgements: https://bughunters.google.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobs

Compliance references / frameworks

ISO2700X

ISO advises organisations to make a public effort to track down any vulnerabilities, and encourage third-parties to engage in vulnerability management efforts through the use of bounty programs (where exploits are looked for and reported to the organisation for a reward).

Organisations should make themselves available to the general public through forums, public email addresses and research activity so that the collective knowledge of the wider public can be used to safeguard products and services at source.

https://www.isms.online/iso-27002/control-8-8-management-of-technical-vulnerabilities/

NZISM

Agencies to create a vulnerability reporting point
5.9.16.
When security risks in agency services are discovered and reported to the agency, it is vital that a robust communication channel is available to receive the report.

5.9.17.
This is commonly described as a “security.txt”. A draft standard has been published (see References below) to help agencies (and other organisations) outline a process for security researchers to securely report security vulnerabilities.

...

5.9.24.C.01.
Control System Classifications(s): All Classifications; Compliance: Must [CID:7133]
An agency MUST develop and publish a VDP.

5.9.25.C.01.
Control System Classifications(s): All Classifications; Compliance: Should [CID:7136] \ An agency SHOULD publish a security.txt to permit secure communications and direct any reports to a specific agency resource, in accordance with the agency’s VDP.

https://nzism.gcsb.govt.nz/ism-document/#Section-12947

CISA

BINDING OPERATIONAL DIRECTIVES
BOD 20-01: Develop and Publish a Vulnerability Disclosure Policy

Within 180 calendar days after the issuance of this directive:
Publish a vulnerability disclosure policy as a public web page in plain text or HTML at the “/vulnerability-disclosure-policy” path of the agency’s primary .gov website.

...

Can we use a security.txt file?
Yes. security.txt is a proposed standard that allows websites to define security policies and the best points of contact to report a vulnerability. While use is not required under the directive, it can help some people find who to share vulnerability findings with.

https://www.cisa.gov/news-events/directives/bod-20-01-develop-and-publish-vulnerability-disclosure-policy

Cross-Sector Cybersecurity Performance Goals
A common set of protections that all critical infrastructure entities - from large to small - should implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.

...

Deploy Security.TXT Files (4.C)
All public-facing web domains have a security.txt file that conforms to the recommendations in RFC 9116

https://www.cisa.gov/cross-sector-cybersecurity-performance-goals#DeploySecurityTXTFiles4C

UK Govt

Advocating security.txt across UK government

The security.txt was endorsed by the Data Standards Authority in March 2023. ... Departments should define what they expect from someone reporting a vulnerability, as well as what they will do in response, by providing a clear policy. This enables the department and the finder to confidently work within an agreed framework.

Security.txt is a plaintext file that should be published in the “/.well-known” directory of the domain root.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited Nov 30, 2023 by Nick Malcolm