|
|
|
|
|
|
by jjarmoc
4231 days ago
|
|
|
I didn't mean to imply that 18F is responsible for everything in the .gov namespace, and I have no reason to doubt that you guys take security seriously. The problem, from my perspective, is that NO ONE is responsible for everything in the .gov namespace. Trying to sort out an appropriate security contact, especially for relatively minor vulns like this (though it's likely also reflected cross site scripting on benefits.gov) is a nightmare. Another example involves some work I did while at a previous employer: https://web.archive.org/web/20131114050720/http://www.secure... I definitely think you're right that a dedicated security inbox would be helpful. Even better would be a dedicated .gov-wide security inbox. I don't know how difficult it would be to establish something like that, but it would give security minded folks who care about improving things an outlet for sharing these sorts of details, and hopefully help get things fixed. |
|
|
Actually, the Department of Homeland Security is responsible for the security of .gov (at least in theory). I don't think they have unilateral directive authority to enforce that, however, which is a big problem. But maybe reporting the issue to DHS (whatever their cyber security division is) can rattle something loose.