Our MSC template contains the following section for security considerations:
Security considerations
All proposals must now have this section, even if it is to say there are no security issues.
Think about how to attack your proposal. See RFC 3552
for things to think about, but in particular pay attention to lists from sources like
OWASP Top Ten for inspiration.
Some proposals may have some security aspect to them that was addressed in the proposed solution. This
section is a great place to outline some of the security-sensitive components of your proposal, such as
why a particular approach was (or wasn't) taken. The example here is a bit of a stretch and unlikely to
actually be worthwhile of including in a proposal, but it is generally a good idea to list these kinds
of concerns where possible.
This already links to RFC 3552 and OWASP Top Ten as inspiration for things to consider. These are generic and not specific to Matrix, however. It might also be too easy for authors to just skip them entirely given that they're just links. Maybe we could improve this situation by extracting a checklist of things to consider into the template while continue to link to these sources for further inspiration?
From recent security discussions on proposals I was involved in and without putting too much thought in it, the following things come to mind:
Our MSC template contains the following section for security considerations:
This already links to RFC 3552 and OWASP Top Ten as inspiration for things to consider. These are generic and not specific to Matrix, however. It might also be too easy for authors to just skip them entirely given that they're just links. Maybe we could improve this situation by extracting a checklist of things to consider into the template while continue to link to these sources for further inspiration?
From recent security discussions on proposals I was involved in and without putting too much thought in it, the following things come to mind: