Skip to content

Update security contact and vulnerability disclosure info

Nick Malcolm requested to merge 433210-update-securitytxt into master

What does this MR do and why?

In Allow administrators to provide public security... (!138259 - merged) we introduced a native GitLab feature that provides publicly accessible security information at the URL https://gitlab.example.com/.well-known/security.txt.

In Configure instance application setting "securit... (gitlab-com/gl-infra/production#17231 - closed) we configured GitLab.com to render our security txt content. (https://gitlab.com/.well-known/security.txt). This is now the SSoT for our security.txt RFC 9116 content. As such, we should remove gitlab-org/gitlab/security.txt. It is not part of the RFC to provide that content as a file on the filesystem, though it was a good intermediary option.

I found that CONTRIBUTING.md also referenced a section of documentation that no longer exists. I've updated it to point to https://about.gitlab.com/security/disclosure/, which is our SSoT for our disclosure process (not RFC9116 formatted).

Notably, I actually made a very similar change back in May 2022: Update security disclosure process (!87843 - merged). But that section was removed, so currently if you follow the link from CONTRIBUTING.md to doc/development/contributing/index.md you find no security information.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #433210 (closed)

Edited by Nick Malcolm

Merge request reports