Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-34404

recommendation for Vendor/Product/Service to invite security vulnerabilities reporting

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Very High Very High
    • FHIR Core (FHIR)
    • R5
    • Security
    • Security & Privacy Module (secpriv-module)
    • Hide

      add security checklist item

      • 13. Security / Privacy Event Reporting - Consider legal obligations and ethical obligations to provide a means for Security and/or Privacy Event Reporting such as security vulnerability, or breach.  

       

       

      Show
      add security checklist item 13. Security / Privacy Event Reporting - Consider legal obligations and ethical obligations to provide a means for Security and/or Privacy Event Reporting such as security vulnerability, or breach.      
    • Rob Horn / Bill Jacqmein: 11-0-0
    • Clarification
    • Compatible, substantive
    • R5

    Description

      Should the FHIR core specification encourage servers to publish the well-known security.txt file? To enable vulnerability reporting? https://securitytxt.org/

      I want community feedback on this possible recommendation we could make to servers and product implementers. It seems easy, but I want community feedback to understand if there are other alternatives, they currently do that we should consider.

      Another alternative uses DNS -- https://dnssecuritytxt.org/

      see chat discussion and poll https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/well-known.20security.2Etxt 

      Attachments

        Activity

          People

            Unassigned Unassigned
            john_moehrke John Moehrke
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: