User Story

In order to avoid unnecessary effort searching through federal open data for sensitive information, security researchers want a public landing page that explains what inventory.data.gov is and what kind of data it contains.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

• WHEN I browse to https://inventory.data.gov/ without authentication
  THEN I see a landing page that explains what inventory.data.gov is and what kinds of data it contains.

Background

We often get false positives for Improper Access Control related to datasets on catalog and inventory. While it's not hard to see that catalog is a public site containing open data, the same is not true for inventory.data.gov. Most APIs are publicly exposed, but nearly all the web views are restricted behind a login. This gives the appearance that data in inventory.data.gov is not meant to be public when in fact it is.

Additionally, datasets tagged with public_access_level: non-public metadata may exist in the inventory and catalog with public resources like documentation or links on how to request access to these datasets. The fact that these datasets are marked non-public, yet have public metadata and resources can be confusing but it is intentional.

Security Considerations (required)

None

Sketch

[Notes or a checklist reflecting our understanding of the selected approach]