It's currently impossible to add custom files to a ".well-known" directory in the root of a website. We need to be able to create arbitrary files in this directory to support various site verification and configuration needs.
For example the .well-known/com.apple.remotemanagement, required by Apple to enable user device enrolments: https://developer.apple.com/documentation/devicemanagement/user_enrollment/onboarding_users_with_account_sign-in/implementing_the_simple_authentication_user-enrollment_flow
But many other examples exists, including security.txt: https://securitytxt.org/
Webflow User
.svg){kind=logo}
Recent development: https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
In particular, the VDP is often in
/.well-known/security.txt, and CISA are calling out lack of VDP as a "Bad Practice":Failing to Publish a Vulnerability Disclosure Policy
For products used in service of critical infrastructure or NCFs, not having a published vulnerability disclosure policy (VDP) that includes the product in its scope is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety.
Recommended actions:
Software manufacturers should publish a VDP that:
Authorizes testing by members of the public on products offered by the manufacturer;
Commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP,
Provides a clear channel to report vulnerabilities; and
Allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure (CVD) best practices and international standards.
Software manufacturers should remediate all valid reported vulnerabilities in a timely and risk-prioritized manner.
Resources: CISA Secure by Design Pledge (Vulnerability Disclosure Policy), SSDF RV.1.3, ISO 29147.
Can we merge these votes into the following request, and get this looked into: https://wishlist.webflow.com/ideas/WEBFLOW-I-6154