Create public landing page for inventory.data.gov #1863
Labels
component/inventory
Inventory playbooks/roles
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
User Story
In order to avoid unnecessary effort searching through federal open data for sensitive information, security researchers want a public landing page that explains what inventory.data.gov is and what kind of data it contains.
Acceptance Criteria
[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]
THEN I see a landing page that explains what inventory.data.gov is and what kinds of data it contains.
Background
We often get false positives for Improper Access Control related to datasets on catalog and inventory. While it's not hard to see that catalog is a public site containing open data, the same is not true for inventory.data.gov. Most APIs are publicly exposed, but nearly all the web views are restricted behind a login. This gives the appearance that data in inventory.data.gov is not meant to be public when in fact it is.
Additionally, datasets tagged with
public_access_level: non-publicmetadata may exist in the inventory and catalog with public resources like documentation or links on how to request access to these datasets. The fact that these datasets are marked non-public, yet have public metadata and resources can be confusing but it is intentional.Security Considerations (required)
None
Sketch
[Notes or a checklist reflecting our understanding of the selected approach]
The text was updated successfully, but these errors were encountered: