-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add security.txt file #5359
base: master
Are you sure you want to change the base?
Add security.txt file #5359
Conversation
Make a lot of sense, thanks Daniel! I got 2 questions (non blocking):
|
I like it. I don't mind updating the expiration date once a year with a pull request created by a human being. It shows that someone considered if the referenced pages are current and complete. What if we extended the Jenkinsfile with a script that marks the build unstable when we are within a month of expiration? It currently checks for typos as one of the stages on ci.jenkins.io. |
I though an automated PR (e.g. with updatecli or renovabot or even cron trigger) which does all the trick (to ensure that the date format is kept: I do not trust humans for date formats), but requires a human approval. |
This looks something we might be able to finish off and merge. |
Co-authored-by: Meg McRoberts <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the initiative
|
||
Expires: 2026-01-01T00:00:00.000Z | ||
Canonical: https://www.jenkins.io/.well-known/security.txt | ||
Policy: https://www.jenkins.io/security/reporting/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Policy: https://www.jenkins.io/security/reporting/ | |
Policy: https://www.jenkins.io/security/reporting/ | |
Policy: https://github.com/jenkinsci/docker/blob/master/SECURITY.md |
adding the policy specific to CVEs reporting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actual link is
Policy: https://www.jenkins.io/security/reporting/ | |
Policy: https://www.jenkins.io/security/reporting/ | |
Policy: https://github.com/jenkinsci/docker/security/policy |
Just as a precaution, I have an |
See https://securitytxt.org/
The expiration date is mandatory and a bit annoying. Options:
.well-known/
work.Thoughts?