├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── index.html └── w3c.json /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | All documentation, code and communication under this repository are covered by the [W3C Code of Ethics and Professional Conduct](https://www.w3.org/Consortium/cepc/). 4 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Contributions to this repository are intended to be published by W3C under the 2 | [Software and Document License](http://www.w3.org/Consortium/Legal/copyright-software). 3 | 4 | If you are not the sole contributor to a contribution (pull request), please identify all 5 | contributors in the pull request comment. 6 | 7 | To add a contributor (other than yourself, that's automatic), mark them one per line as follows: 8 | 9 | ``` 10 | +@github_username 11 | ``` 12 | 13 | If you added a contributor by mistake, you can remove them in a comment with: 14 | 15 | ``` 16 | -@github_username 17 | ``` 18 | 19 | If you are making a pull request on behalf of someone else but you had no part in designing the 20 | feature, you can remove yourself with the above syntax. 21 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | All documents in this Repository are licensed by contributors 2 | under the 3 | [W3C Software and Document License](http://www.w3.org/Consortium/Legal/copyright-software). 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Guidelines for Security Disclosures 2 | 3 | -------------------------------------------------------------------------------- /index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | W3C Security Disclosures Best Practices 6 | 8 | 39 | 40 | 41 | 42 | 43 | 44 |
45 |

This document contains a template intended for organizations interested in protecting their users and applications 46 | from fraud, malware, and computer viruses, as well as interested in ensuring proper adherence to security and privacy considerations included in W3C Recommendations. It also 47 | help to support broad participation, testing, and audit from the security community to keep users safe and the web’s security model intact.

48 |
49 | 65 |
66 |

67 | This document is a work in progress and may be changed at any time and without notice. 68 |

69 |

70 | This March 2017 W3C Team Submission, is a proposal for security and privacy disclosure programs. 71 |

72 |

73 | By publishing this document, Philippe Le Hegaret made a formal submission to W3C for discussion. Publication of this document by W3C indicates no endorsement of its content by W3C, nor that W3C has, is, or will be allocating any resources to the issues addressed by it. This document is not the product of a chartered W3C group, but is published as potential input for further work. Please consult the complete list of acknowledged W3C Team Submissions. 74 |

75 |
76 | 77 |
78 |

Introduction

79 | 80 |

Many organizations making software and hardware products encourage their 81 | customers and users to provide feedback about bugs in their products. Especially important are 82 | bugs related to security which can be exploited to gain unauthorized access or 83 | privileges in their products. However, in some cases, customers and security researchers 84 | are reluctant to provide such information to vendors. This is 85 | particularly the case when their actions could be interpreted as 86 | circumventing measures that control access to copyrighted works. There are existing statutes 87 | prohibiting the circumvention of technological protection measures 88 | (TPMs), such as section 1201-1203 of the US DMCA, as well as laws in other territories 89 | (EUCD implementations in the EU; Bill C-11 in Canada; and other laws throughout Asia, 90 | Latin-America, Australia, NZ, etc).

91 | 92 |

The deployment and ubiquity of the Web reinforce the importance of maintaining strong security in the Web Platform. 93 | We rely on broad participation, testing, and audit to keep users safe and the web’s security model intact. 94 | As such, we should assure that such broad testing and audit continues to be possible, as it is 95 | necessary to keep both design and implementation quality high.

96 | 97 |

This document provides a template that vendors should 98 | adopt as best practices and would remove impediments to disclosing security and privacy bugs.

99 |
100 | 131 | 142 | 143 |
144 |

W3C Security Disclosure and Privacy Best Practices

145 |

146 | This section contains a template of typical coordinated disclosure program best practices that we recommend for adoption by organizations. 147 |

148 |
149 |

We (the organization):

150 |
    151 |
      152 |
    1. Agree not to bring suit against you, recommend law enforcement investigation, or cooperate with law enforcement investigation, if your disclosure meets the criteria listed in this section;
      2. 153 |
    2. Request that you give us a reasonable time (usually not to exceed 90 days) before publicly disclosing specific details of the vulnerability;
      3. 154 |
    3. Request to be provided an appropriate level of detail on the vulnerability to allow us to identify and reproduce the issue. Detail should include target URLs, request/response pairs, screenshots, and/or other relevant information;
      4. 155 |
    4. Agree to confirm, within a reasonable time, receipt of your disclosure (such as 3 days) and the validity of your disclosure (such as 156 | 10 days);
      5. 157 |
    5. Request that your vulnerability research not create service disruption (e.g. DoS), privacy issues (i.e. accessing a customer’s data), or data destruction, within a reasonable effort.
      6. 158 |
    159 |
160 | 161 |

Your organization may not impose any further conditions or restrictions on the disclosures but may include reasonable, customary terms relating to sending disclosures or interacting with vulnerability researchers such as the following: interest in specific disclosures, compensations, choice of law and dispute resolution. In addition, your organization may also express interest or disinterest in particular areas of review. 162 | 163 |

In addition, we also recommend that your organization keep the researcher informed of progress in fixing the issue.

164 | 165 |

Note: your organization must provide a reasonnable mean of communications for receiving disclosures and may also provide additional services to ensure encrypted communications.

166 | 167 | 168 | 169 |
170 | 171 |
172 |

Acknowledgments

173 |

Several individuals contributed to the document. The author especially thank: @@TODO.

174 |

The document was largely inspired by the Responsible Vulnerability Disclosure from Netflix and the Technical Architecture Group statement.

175 |
176 | 177 | 178 | 179 | 180 | 184 | -------------------------------------------------------------------------------- /w3c.json: -------------------------------------------------------------------------------- 1 | { 2 | "group": ["102"] 3 | , "contacts": ["plehegar"] 4 | , "policy": "open" 5 | , "repo-type": "note" 6 | } --------------------------------------------------------------------------------