Comment by kevincloudsec
9 days ago
Insurance is already moving that direction for cyber policies. Some underwriters now require screenshots or PDF exports of third-party vendor security attestations as part of the application process, not just URLs. The carriers learned the hard way that 'we linked to their SOC 2 landing page' doesn't hold up when that page disappears after an acquisition or rebrand.
> when that page disappears after an acquisition or rebrand.
Sadly, it does not even have to be an acquisition or rebrand. For most companies, a simple "website redo", even if the brand remains unchanged, will change up all the URL's such that any prior recorded ones return "not found". Granted, if the identical attestation is simply at a new url, someone could potentially find that new url and update the "policy" -- but that's also an extra effort that the insurance company can avoid by requiring screen shots or PDF exports.
It sounds like you work at Microsoft, they do that ALL the time.
Good lord no, I would never work for that massively evil corporation.
I do, however, work for one that is deathly allergic to HTTP redirects and that changes the user visible URL's each time they change/move/update servers (or for practically any other change). So there's a constant churn of "project X is deploying to Y on date Z, the new URL will be Q" announcements -- and meanwhile, you find that any deep links to URL Q[t-1] also got changed up when date Z arrives and the URL becomes Q[t]. And then in a few months, the same game, only with URL Q[t+1].