From de295e90bdd9b9cca7852268965f5198a3cdad10 Mon Sep 17 00:00:00 2001
From: Nick Malcolm <nmalcolm@gitlab.com>
Date: Fri, 22 Jul 2022 11:42:56 +1200
Subject: [PATCH] Updates security.txt with compliant & up-to-date details

- `security@` is not a supported disclosure method
- We use H1 for our acknowledgements
- To be RFC compliant we need an expiry date (https://securitytxt.org/)
- RFC says canonical points to the security.txt file itself
- Adds some explanatory comments

See also: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/108013
---
 security.txt | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/security.txt b/security.txt
index f7adb43fda6b9..f19a0b6283d99 100644
--- a/security.txt
+++ b/security.txt
@@ -1,6 +1,16 @@
-Contact: security@gitlab.com
+# Preferred disclosure is via HackerOne
+Contact: https://hackerone.com/gitlab/
+# Additional disclosure processes are available in our handbook:
+Contact: https://about.gitlab.com/security/disclosure/
+
+Policy: https://hackerone.com/gitlab/
+
+Acknowledgments: https://hackerone.com/gitlab/
 Acknowledgments: https://about.gitlab.com/security/vulnerability-acknowledgements/
+
+Canonical: https://gitlab.com/gitlab-org/gitlab/-/blob/master/security.txt
+
 Preferred-Languages: en
-Canonical: https://about.gitlab.com/security/disclosure/
-Policy: https://hackerone.com/gitlab
 Hiring: https://about.gitlab.com/jobs/
+
+Expires: 2023-07-31T00:00:00Z
-- 
GitLab