We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

A security.txt for gits?

Formale Metadaten

Titel
A security.txt for gits?
Serientitel
Anzahl der Teile
38
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
We want to propose to start the discussion on a machine-readable standardized addition to git repositories which will serve two purposes: a) Coordinated Vulnerability Disclosure Provide necessary information for an anonymous, easy access, legally secure and ethical CVD process. b) Up- & Downstream Vulnerabilities Allow projects using the code to receive reports on vulnerabilities in a feed before the CVE is public. Cunningham's Law states "the best way to get the right answer on the internet is not to ask a question; it's to post the wrong answer." we ask this talk to be understood in this sense. Pls let us know how this would be done proper in the linked issues (CVD, Up- & Downstream Vulnerabilities) To our understanding, securing FOSS requires two kinds of measures. Preventive measures like pen-tests and audits, and reactive measures like CVD process and up- and down streaming relevant information. Why do we care about this? The “InÖG - Innovationsverbund Öffentliche Gesundheit e.V.” is a german based open-source project working on GovTech solutions for administration2X communication, since 2021. Our solution IRIS-Connect [1] ran in 54 public health centers in four states (North Rhine-Westphalia, Hessian, Saxony, and Thuringia) serving 30.4 million German citizens as the link between public health centers and contact tracing apps. To us security questions were central due to two main reasons: A) The sensitive information, including health data IRIS-connect handled. B) The non-negligible attack surface of public health centers Due to A) IRIS offers E2EE communication between public health centers and apps used by the population at large. The relevance of the second point was stressed by the known vulnerabilities reported in similar solutions [2]. Given this situation, the government institutions interested in using our software wanted to know “whom they could call” if something is wrong. Given the imminent situation, we were able to find practical short time solutions but the issue remains. Especially with the EU's Cyber Resilience Act [3] on the horizon, the question of how to reach out to OSS projects will become more relevant. For a more comprehensive view on the challenges of FOSS procurement, please see Miriam Swyffarths talk: ”Why isn't the German administration procuring more FOSS?” This talk is part of the InÖGs current cooperation with the BSI - Germanys cybersecurity agency – in the project “B3 - Buntes Bug Bounty” as part of the BSIs annual Cybersicherheitsdialog. For more information, please visit the project websites of both partners [4][5]. We acknowledge funding by the BSI in the form of reimbursements of expenses of the volunteering contributors.