Skip to content

sec: add /.well-known/security.txt at apex (RFC 9116)#4

Open
ascender1729 wants to merge 1 commit into
mainfrom
sec/add-security-txt
Open

sec: add /.well-known/security.txt at apex (RFC 9116)#4
ascender1729 wants to merge 1 commit into
mainfrom
sec/add-security-txt

Conversation

@ascender1729

@ascender1729 ascender1729 commented May 4, 2026

Copy link
Copy Markdown
Member

Summary

Adds /.well-known/security.txt (RFC 9116) so security researchers reaching attestix.io have a documented intake channel before contacting via Twitter / random email guesses. Particularly valuable given Attestix's "trust framework for AI agents" positioning — signals security maturity to prospective customers.

Source

Owner-self security audit on 2026-05-04. Tracked as INFO finding in ~/recon/attestix.io/2026-05-04/FINAL-REPORT.md (security.txt missing across apex/docs/demo).

Test plan

  • After deploy: curl https://attestix.io/.well-known/security.txt returns the file with Content-Type: text/plain.
  • Expires field set to 2027-05-04 (12 months); add a calendar reminder to rotate.
  • Optional follow-ups (out of this PR's scope):
    • Create /security/policy page (currently a forward-reference 404)
    • Create /security/acknowledgments page (currently a forward-reference 404)
    • Create the security@attestix.io mailbox (or alias to existing inbox)

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Published standardized security contact endpoints to facilitate vulnerability reporting from users. Users can now easily report security issues through multiple designated channels including email and GitHub advisories. The configuration includes comprehensive security policy information, acknowledgments page, language preferences, and canonical endpoint details. Contact information remains valid through May 4, 2027.

@coderabbitai

coderabbitai Bot commented May 4, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@ascender1729 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 35 minutes and 39 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5a9e2aaa-b700-44d9-97bd-b3e147388268

📥 Commits

Reviewing files that changed from the base of the PR and between 2d9fca4 and ab84e42.

📒 Files selected for processing (1)
  • public/.well-known/security.txt
📝 Walkthrough

Walkthrough

A security.txt file is added to public/.well-known/ containing security contact endpoints, expiration date, preferred language, and URLs for canonical, policy, and acknowledgments information.

Changes

Security Contact Configuration

Layer / File(s) Summary
Security Metadata
public/.well-known/security.txt
New file published with security contact methods (email and GitHub security advisories), expiration timestamp (2027-05-04), preferred language, and links to security policy and acknowledgments pages.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A security door now stands so bright,
With contact details shining in the light,
From .well-known it proudly calls,
"Report your bugs within these walls!"

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically describes the main change: adding a security.txt file at the domain apex following RFC 9116 standards.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch sec/add-security-txt

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 35 minutes and 39 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@public/.well-known/security.txt`:
- Line 2: The Contact URL in public/.well-known/security.txt points to GitHub’s
advisories/new page which requires login; either enable and configure the
repository’s GitHub Security Advisories to accept public submissions and keep
the Contact as the repo’s security policy URL (e.g.,
https://github.com/VibeTensor/attestix/security/policy) or replace the Contact
value with an externally accessible channel (e.g., mailto:security@attestix.io
or a dedicated attestix.io/security-report form). Update the Contact line in
public/.well-known/security.txt accordingly and verify the chosen endpoint
accepts anonymous submissions and is reachable without requiring a GitHub login.
- Around line 6-7: The Policy and Acknowledgments entries in
public/.well-known/security.txt reference URLs that return 404; either update
the "Policy: https://attestix.io/security/policy" and "Acknowledgments:
https://attestix.io/security/acknowledgments" values to the correct, working
URLs or remove those lines entirely so the file contains only valid, resolvable
resources; ensure the final security.txt exposes reachable endpoints (or omits
broken entries) before merging.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 772db9bf-7960-4857-93d6-99642f93c3d8

📥 Commits

Reviewing files that changed from the base of the PR and between 97ec4ca and 2d9fca4.

📒 Files selected for processing (1)
  • public/.well-known/security.txt

Comment thread public/.well-known/security.txt
Comment on lines +6 to +7
Policy: https://attestix.io/security/policy
Acknowledgments: https://attestix.io/security/acknowledgments

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove or fix currently-404 Policy and Acknowledgments URLs before merge.

Per the PR notes, these links are currently 404. Publishing known-broken URLs in security.txt weakens researcher UX and can fail automated checks.

Suggested minimal fix
 Contact: mailto:security@attestix.io
 Contact: https://github.com/VibeTensor/attestix/security/advisories/new
 Expires: 2027-05-04T23:59:59.000Z
 Preferred-Languages: en
 Canonical: https://attestix.io/.well-known/security.txt
-Policy: https://attestix.io/security/policy
-Acknowledgments: https://attestix.io/security/acknowledgments
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Policy: https://attestix.io/security/policy
Acknowledgments: https://attestix.io/security/acknowledgments
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@public/.well-known/security.txt` around lines 6 - 7, The Policy and
Acknowledgments entries in public/.well-known/security.txt reference URLs that
return 404; either update the "Policy: https://attestix.io/security/policy" and
"Acknowledgments: https://attestix.io/security/acknowledgments" values to the
correct, working URLs or remove those lines entirely so the file contains only
valid, resolvable resources; ensure the final security.txt exposes reachable
endpoints (or omits broken entries) before merging.

RFC 9116 security.txt - gives security researchers a documented intake
channel before reaching out. Especially valuable given Attestix's
"trust framework for AI agents" positioning.

Source: owner-self security audit on 2026-05-04. Tracked as INFO
finding in ~/recon/attestix.io/2026-05-04/FINAL-REPORT.md (security.txt
missing across apex/docs/demo).

Notes:
- Expires set to 2027-05-04 (12 months); rotate before then.
- The Policy and Acknowledgments URLs are forward-references; they
  return 404 until the corresponding pages are added. That's fine
  per RFC 9116 - receivers ignore unreachable hints.
- Once deployed, the GitHub Security Advisories link is the preferred
  intake; mailto is a fallback.
@ascender1729 ascender1729 force-pushed the sec/add-security-txt branch from 2d9fca4 to ab84e42 Compare May 4, 2026 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant