GH-157: Document vulnerability disclosure mechanism

acteng · Sep 25, 2024 · e4a3860 · e4a3860
1 parent fde8602
commit e4a3860
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/schemes/views/legal.py b/schemes/views/legal.py
@@ -1,4 +1,4 @@
-from flask import Blueprint, render_template
+from flask import Blueprint, Response, render_template, send_from_directory
 
 from schemes.views.auth.basic import basic_auth
 
@@ -21,3 +21,8 @@ def accessibility() -> str:
 @basic_auth
 def cookies() -> str:
     return render_template("legal/cookies.html")
+
+
+@bp.get("/.well-known/security.txt")
+def security() -> Response:
+    return send_from_directory(directory="views/templates/legal", path="security.txt")
diff --git a/schemes/views/templates/legal/security.txt b/schemes/views/templates/legal/security.txt
@@ -0,0 +1,3 @@
+Contact: https://vulnerability-reporting.service.security.gov.uk/
+
+Expires: 2025-01-31T00:00:00Z
diff --git a/tests/integration/test_legal.py b/tests/integration/test_legal.py
@@ -24,3 +24,8 @@ def test_cookies(self, client: FlaskClient) -> None:
 
         assert cookies_page.is_visible
         assert cookies_page.title == "Cookies - Update your capital schemes - Active Travel England - GOV.UK"
+
+    def test_security(self, client: FlaskClient) -> None:
+        response = client.get("/.well-known/security.txt")
+
+        assert response.status_code == 200 and response.content_type == "text/plain; charset=utf-8"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		Contact: https://vulnerability-reporting.service.security.gov.uk/

		Expires: 2025-01-31T00:00:00Z