add /.well-known/security.txt

https://securitytxt.org/
2024-01-22 12:55:34 -08:00 · 2024-01-22 12:55:34 -08:00 · 90a7b2def8
commit 90a7b2def8
--- a/app.yaml
+++ b/app.yaml
@ -57,6 +57,11 @@ handlers:
  upload: static/robots.txt
  secure: always

+- url: /.well-known/security.txt
+  static_files: static/security.txt
+  upload: static/security.txt
+  secure: always
+
 # dynamic
 - url: .*
  script: auto
--- a/static/security.txt
+++ b/static/security.txt
@ -0,0 +1,14 @@
+Contact: mailto:security@brid.gy
+Expires: 2030-01-01T08:00:00.000Z
+Preferred-Languages: en
+Canonical: https://fed.brid.gy/.well-known/security.txt
+Policy: https://fed.brid.gy/docs#vulnerability
+
+Thank you for investigating Bridgy Fed's security! We appreciate any and all reports of vulnerabilities. The code is open source (https://github.com/snarfed/bridgy-fed), feel free to try to break in, let us know if you succeed!
+
+A few guidelines for your report to qualify for a monetary reward:
+
+* Vulnerabilities must be in the application itself, not unrelated services like email (eg SPF/DKIM/DMARC).
+* Out of scope: rate limiting, XSS/CSRF attacks (Bridgy Fed has no authenticated sessions or private data accessible to users).
+* Public user data is intentionally public. That's not a vulnerability.
+* No automated fuzzing, DoSes, or other high volume traffic. We block this traffic, and it will disqualify you from any possible award.