sec: add /.well-known/security.txt at apex (RFC 9116)#4
Conversation
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughA ChangesSecurity Contact Configuration
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 35 minutes and 39 seconds.Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@public/.well-known/security.txt`:
- Line 2: The Contact URL in public/.well-known/security.txt points to GitHub’s
advisories/new page which requires login; either enable and configure the
repository’s GitHub Security Advisories to accept public submissions and keep
the Contact as the repo’s security policy URL (e.g.,
https://github.com/VibeTensor/attestix/security/policy) or replace the Contact
value with an externally accessible channel (e.g., mailto:security@attestix.io
or a dedicated attestix.io/security-report form). Update the Contact line in
public/.well-known/security.txt accordingly and verify the chosen endpoint
accepts anonymous submissions and is reachable without requiring a GitHub login.
- Around line 6-7: The Policy and Acknowledgments entries in
public/.well-known/security.txt reference URLs that return 404; either update
the "Policy: https://attestix.io/security/policy" and "Acknowledgments:
https://attestix.io/security/acknowledgments" values to the correct, working
URLs or remove those lines entirely so the file contains only valid, resolvable
resources; ensure the final security.txt exposes reachable endpoints (or omits
broken entries) before merging.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 772db9bf-7960-4857-93d6-99642f93c3d8
📒 Files selected for processing (1)
public/.well-known/security.txt
| Policy: https://attestix.io/security/policy | ||
| Acknowledgments: https://attestix.io/security/acknowledgments |
There was a problem hiding this comment.
Remove or fix currently-404 Policy and Acknowledgments URLs before merge.
Per the PR notes, these links are currently 404. Publishing known-broken URLs in security.txt weakens researcher UX and can fail automated checks.
Suggested minimal fix
Contact: mailto:security@attestix.io
Contact: https://github.com/VibeTensor/attestix/security/advisories/new
Expires: 2027-05-04T23:59:59.000Z
Preferred-Languages: en
Canonical: https://attestix.io/.well-known/security.txt
-Policy: https://attestix.io/security/policy
-Acknowledgments: https://attestix.io/security/acknowledgments📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Policy: https://attestix.io/security/policy | |
| Acknowledgments: https://attestix.io/security/acknowledgments |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@public/.well-known/security.txt` around lines 6 - 7, The Policy and
Acknowledgments entries in public/.well-known/security.txt reference URLs that
return 404; either update the "Policy: https://attestix.io/security/policy" and
"Acknowledgments: https://attestix.io/security/acknowledgments" values to the
correct, working URLs or remove those lines entirely so the file contains only
valid, resolvable resources; ensure the final security.txt exposes reachable
endpoints (or omits broken entries) before merging.
RFC 9116 security.txt - gives security researchers a documented intake channel before reaching out. Especially valuable given Attestix's "trust framework for AI agents" positioning. Source: owner-self security audit on 2026-05-04. Tracked as INFO finding in ~/recon/attestix.io/2026-05-04/FINAL-REPORT.md (security.txt missing across apex/docs/demo). Notes: - Expires set to 2027-05-04 (12 months); rotate before then. - The Policy and Acknowledgments URLs are forward-references; they return 404 until the corresponding pages are added. That's fine per RFC 9116 - receivers ignore unreachable hints. - Once deployed, the GitHub Security Advisories link is the preferred intake; mailto is a fallback.
2d9fca4 to
ab84e42
Compare
Summary
Adds
/.well-known/security.txt(RFC 9116) so security researchers reachingattestix.iohave a documented intake channel before contacting via Twitter / random email guesses. Particularly valuable given Attestix's "trust framework for AI agents" positioning — signals security maturity to prospective customers.Source
Owner-self security audit on 2026-05-04. Tracked as INFO finding in
~/recon/attestix.io/2026-05-04/FINAL-REPORT.md(security.txt missing across apex/docs/demo).Test plan
curl https://attestix.io/.well-known/security.txtreturns the file withContent-Type: text/plain.Expiresfield set to 2027-05-04 (12 months); add a calendar reminder to rotate./security/policypage (currently a forward-reference 404)/security/acknowledgmentspage (currently a forward-reference 404)security@attestix.iomailbox (or alias to existing inbox)🤖 Generated with Claude Code
Summary by CodeRabbit