Today, I received my monthly “CISA Community Bulletin February 2024” via email. Again, nothing special on my part, anyone can sign up to receive these emails. CISA describes the bulletin as: “The CISA Community Bulletin is a monthly publication that shares cybersecurity webinars and workshops, new publications, and best practices.” Unfortunately, the link to a web version of the Bulletin continues to be mis-typed as ‘#20’ which is less than helpful, and the Archive page is two-months (December 2023) behind in providing web versions of the Bulletin.
This month’s Bulletin includes the following sections:
• Report a Cyber Incident (more
info link),
• Announcements,
• Partnerships.
• Information Exchange, and
• Education and Training Workshops.
Each section provides a series of relatively short-form discussions with links to more information.
Commentary
I found the discussion about security.txt to be especially interesting. It describes the problems that researchers frequently have trying to find contact information to report system or even web site vulnerabilities. CISA has found that a small percentage of web sites include a ‘security.txt’ file link that provides a text file with contact information that can be used to notify the owner of security issues. Unfortunately, the provided information link only takes one to the Cross-Sector Cybersecurity Performance Goals page where the use of security.txt is recommend without explanation.
The Bulletin includes a link to the ‘security.txt’ file used on CISA’s publicly facing pages:
One piece of information that could be included on pages for vendors of equipment or software would be a link to their PSIRT page or the page for their vendor security advisories. This would be similarly helpful to people looking for vulnerability fixes.
For more information about the Bulletin, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-community-bulletin-february - subscription required.
Posts
No comments:
Post a Comment