security.txt
security.txt

A proposed standard which allows websites to define security policies. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.

security.txt is a proposed standard (RFC) designed to provide a simple, machine-readable way for websites to define their security policies and vulnerability disclosure processes,.

The principal functionalities of this standard include:

1. Standardized Vulnerability Disclosure

  • Structured Channels: It provides a standard to help organizations define clear channels for independent security researchers to report vulnerabilities.

  • Improved Communication: By offering a dedicated contact point, it ensures that security issues are reported to the right people rather than being left unreported,.

  • Global Recognition: The standard is endorsed by major governments (including the UK, US, France, Italy, and Australia) and implemented by tech giants like Google, Facebook, and GitHub.

2. Required and Optional Information Fields

  • Mandatory Contact Information: Every file must include a Contact field (starting with mailto:, tel:, or https://) so researchers know how to reach the security team,.

  • Expiration Management: It requires an Expires field in ISO 8601 format to indicate when the information in the file should be considered stale and no longer trusted,.

  • Security Context: Organizations can optionally include links to their Encryption keys (for secure communications), detailed reporting Policies, and a list of Preferred-Languages spoken by the security team,,.

3. Technical Deployment and Verification

  • Standardized Location: For consistency, the file is typically placed in the /.well-known/security.txt path, though the root directory (/security.txt) is supported as a fallback,.

  • Plain Text Format: The file must be served as text/plain and must be transmitted over HTTPS to ensure integrity.

  • Authenticity Measures: The standard supports digital signatures (such as OpenPGP cleartext signatures) to give researchers confidence that the file is authentic and has not been planted by an attacker.

4. Community and Organizational Tools

  • Public Recognition: Organizations can include an Acknowledgments field linking to a "hall of fame" or page thanking researchers who have helped secure the platform.

  • Recruitment and Automation: It supports optional fields for Hiring (linking to security job openings) and CSAF (linking to Common Security Advisory Framework metadata).

security.txt

security.txt
Development
February 13, 2019

You may also be interested in ...

PowerGlitch

PowerGlitch

A tiny library to glitch anything on the web.
Petite-Vue

Petite-Vue

petite-vue is an alternative distribution of Vue optimized for progressive enhancement. It provides the same template syntax and reactivity mental model with standard Vue. However, it is specifically optimized for "sprinkling" small amount of interactions on an existing HTML page rendered by a server framework.
Tailwind CSS v1.0.0-beta.1 is out!

Tailwind CSS v1.0.0-beta.1 is out!

My favorite CSS framework has launched its V1.0.0-beta version. Tailwind CSS is an utility-first CSS framework for rapidly building custom user interfaces.