Skip to content

Add RFC 9116 security.txt to static/.well-known/#43

Open
kobihikri wants to merge 1 commit into
getsops:mainfrom
kobihikri:add-security-txt
Open

Add RFC 9116 security.txt to static/.well-known/#43
kobihikri wants to merge 1 commit into
getsops:mainfrom
kobihikri:add-security-txt

Conversation

@kobihikri

Copy link
Copy Markdown

What this does

Adds /.well-known/security.txt by placing it in static/.well-known/security.txt, which Hugo copies verbatim to the published site root.

Why

RFC 9116 defines a standard file at /.well-known/security.txt so a researcher can find where to report a vulnerability. Right now the live file is missing:

$ curl -sSL -o /dev/null -w '%{http_code}\n' https://getsops.io/.well-known/security.txt
404

sops is a secrets-management tool, so a discoverable reporting pointer feels especially fitting. I pointed the file at the existing flow rather than inventing anything:

  • Contact: https://github.com/getsops/sops/security/advisories/new — the GitHub security-advisory flow the sops README already directs reporters to
  • Policy: the sops security policy
  • Expires: — RFC 9116 requires this field; set ~1 year out.

Verifying it will serve

static/ is copied verbatim to the published site — e.g. static/favicons/favicon.ico is live at https://getsops.io/favicons/favicon.ico (200) and static/images/...svg at https://getsops.io/images/... (200). So static/.well-known/security.txt will publish at https://getsops.io/.well-known/security.txt. Please double-check on a preview build.

Single file, no other changes. Commit is DCO signed-off.


Disclosure: I used an AI tool to help spot this and draft the file. I verified every line myself against the live site and the sops security policy, and I take responsibility for the change. Happy to adjust the Expires date, contact, or policy link to whatever you prefer.

Adds a machine-discoverable security contact at /.well-known/security.txt,
served by Hugo from static/. Points to the existing sops GitHub security-
advisory reporting flow. Includes the RFC 9116-mandatory Expires field.

Assisted by an AI tool; every line verified against the live site and the
sops security policy.

Signed-off-by: Kobi Hikri <kobi.hikri@gmail.com>
@netlify

netlify Bot commented Jul 14, 2026

Copy link
Copy Markdown

Deploy Preview for getsops ready!

Name Link
🔨 Latest commit fd6cc81
🔍 Latest deploy log https://app.netlify.com/projects/getsops/deploys/6a564d8c42fe8d0008d16566
😎 Deploy Preview https://deploy-preview-43--getsops.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant