Kevin BeaumontApr 14, 2024
I wrote up the Delinea Secret Server Cloud security incident situation: https://doublepulsar.com/delinea-has-cloud-security-incident-in-thycotic-secret-server-gaff-581a33990882
Delinea has cloud security incident in Thycotic Secret Server gaff

This is a weird one. Customers of Delinea Secret Server Cloud had a mysterious outage on Friday due to a “security incident” – this was visible on a service status page: Delinea Secret Server – also…

DoublePulsar
Show threadKevin BeaumontApr 14, 2024

As far as I can see Delinea have no responsible disclosure programme or vulnerability reporting contact.

They did, however, do a podcast about how to run one 😬 https://delinea.com/events/podcasts/responsible-disclosure-programs-katie-moussouris-casey-ellis

Podcast: Responsible Disclosure Programs | Moussouris, Ellis

Katie Moussouris and Casey Ellis join Joe and Mike to talk all things responsibility disclosure – the good, the bad, and the ugly.

Delinea
Show threadKevin BeaumontApr 14, 2024
Delinea have removed the paywall on the IoCs and remediation information.
Show threadKevin BeaumontApr 14, 2024

In fairness to Delinea I think they have got on top of this really well now. The remediation guide is top tier.

They probably want to have a look at their CMS setup for their online portals, eg the podcast and marketing content is really well search engine optimised, but the security content (including responsible disclosure policy) is on a platform which is really search engine unfriendly - most of it is so buried I can’t even find it via Google, I think they might be blocking it by mistake.

Show threadKevin Beaumont

All of Delinea’s product and cloud security info is on trust.delinea.com - but only the front page is indexed by search engines, there’s only two results. They block pages off using robots.txt - including how to report vulnerabilities.

Other orgs probably want to learn from that.

Apr 14, 2024 at 7:33pmWeb
Show threadKevin BeaumontApr 14, 2024

Also, allow me to plug: https://securitytxt.org/

Example usage: https://www.google.com/.well-known/security.txt

https://www.meta.com/.well-known/security.txt

security.txt

A proposed standard that allows websites to define security policies.

security.txt
Show threadInternet.nlApr 14, 2024
@GossiTheDog
👍 For these two there is still some room for improvement…
- https://en.internet.nl/site/meta.com/2735641/#control-panel-31
- https://en.internet.nl/site/google.com/2735642/#control-panel-31
Website test: meta.com

Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt

Show threadDrew Scott DanielsApr 14, 2024
@GossiTheDog and for Wordpress there are plugins like this one (that has source code and supports people using several languages to collect the relevant data): https://github.com/austinheap/wordpress-security-txt?tab=readme-ov-file I haven’t tried this one, but it looks useful.
GitHub - austinheap/wordpress-security-txt: A plugin for serving `security.txt` in WordPress 4.9+, based on configuration settings. https://securitytext.org/

A plugin for serving `security.txt` in WordPress 4.9+, based on configuration settings. https://securitytext.org/ - austinheap/wordpress-security-txt

GitHub
Show threadBrian ClarkApr 14, 2024
@drewdaniels @GossiTheDog unfortunately not maintained since 2021
Show threadDrew Scott DanielsApr 14, 2024
@deepthoughts10 @GossiTheDog Wordpress is a pain to add things. ☹️
Yeah, the one I linked to may not even work: https://github.com/austinheap/wordpress-security-txt/issues/7
I’ll keep looking or maybe write my own plugin. I remember there are a few ways to put in arbitrary file locations without a plugin but that may not work on all hosting providers.
404 when trying to access .well-known/security.txt · Issue #7 · austinheap/wordpress-security-txt

First, thank you for this plugin - I was very happy to find it :) I've just installed the plugin and enabled it on the setting section. For some reason, when I'm trying to access .well-known/securi...

GitHub