FHIR Chat · well-known security.txt · Security and Privacy

Stream: Security and Privacy

Topic: well-known security.txt

view this post on Zulip John Moehrke (Oct 25 2021 at 20:17):

Should the FHIR core specification encourage servers to publish the well-known security.txt file? To enable vulnerability reporting? https://securitytxt.org/

view this post on Zulip Grahame Grieve (Oct 26 2021 at 18:09):

I'm not sure how useful that is. At least, beyond a first contact point.

view this post on Zulip Grahame Grieve (Oct 26 2021 at 18:09):

I see that the security page doesn't reference OWasp or the top ten. I think we probably should do that

view this post on Zulip David Pyke (Oct 26 2021 at 18:10):

The Top Ten list is great but not terribly approachable language for non security researchers

view this post on Zulip David Pyke (Oct 26 2021 at 18:11):

We need a simple language version of "Top 10 things not to do"

view this post on Zulip Grahame Grieve (Oct 26 2021 at 18:13):

I worry that if we simplify it, we'll becomes responsible for the issues that arise in the simplification

view this post on Zulip David Pyke (Oct 26 2021 at 18:24):

True. We would need to make it approachable but not overly simplified. It would be a tough writing gig but needed

view this post on Zulip John Moehrke (Oct 26 2021 at 19:31):

we do too -- Very first section -- http://hl7.org/fhir/secpriv-module.html#security

view this post on Zulip John Moehrke (Oct 26 2021 at 19:32):

"OWASP Mobile Security"

view this post on Zulip Grahame Grieve (Oct 26 2021 at 19:47):

oh but not on this page: https://hl7.org/fhir/security.html

view this post on Zulip John Moehrke (Dec 01 2021 at 13:27):

John Moehrke said:

Should the FHIR core specification encourage servers to publish the well-known security.txt file? To enable vulnerability reporting? https://securitytxt.org/

I want community feedback on this possible recommendation we could make to servers and product implementers.. that they have a well-known security.txt file.

It seems easy, but I want community feedback to understand if there are other alternatives, they currently do that we should consider.

Another alternative uses DNS -- https://dnssecuritytxt.org/

view this post on Zulip John Moehrke (Dec 01 2021 at 13:38):

/poll Recommendation for Vendor/Product/Service to invite comments
Well-known Security.txt endpoint https://securitytxt.org/
DNS TXT record for Security https://dnssecuritytxt.org/
General guidance without specificity
HL7 should stay silent

view this post on Zulip John Moehrke (Dec 01 2021 at 13:44):

also now FHIR-34404

view this post on Zulip John Moehrke (Dec 07 2021 at 17:23):

the Security WG agreed to mention the need for vulnerability reporting, but stopped short of naming specifics like security.txt
http://build.fhir.org/security.html

"13. Security / Privacy Event Reporting - Consider legal obligations and ethical obligations to provide a means for Security and/or Privacy Event Reporting such as security vulnerability, or breach."

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -