Given that the requests concern the entirety of a person's personal information within an organisation, the Open Data Rights API must be secure without question. To support continuous guarantees on security, practices need to be established in this area.
Firstly, the security of the current proposal must be proven. Correspondingly, we strongly encourage a security audit to be completed in the near future. We consider this essential before a definitive v1 release is made. After completion, learnings should be incorporated in the further development process. Further, continuous security audits should be a regular staple of this development process.
Secondly, a process needs to be established where critical vulnerabilities can be (confidentially) accepted and addressed within the smallest frame of time. This goes beyond a GitHub issues checklist for serious security issues. Secure infrastructure for this communication must be setup and monitored. Additionally, manpower must be made available to verify and accommodate these issues.
Thirdly, common implementations on both front- and back-end should be regularly tested and scrutinised for particular implementation or security faults. We encourage the Data Rights API to not only take responsibility for specification, but implementations as well. These practices should increase the security of the ecosystem at large.