Security.txt

security.txt

security.txt

Internet standard for posting security contact information

security.txt is an accepted standard for website security information that allows security researchers to report security vulnerabilities easily.[1] The standard prescribes a text file called security.txt in the well known location, similar in syntax to robots.txt but intended to be machine- and human-readable, for those wishing to contact a website's owner about security issues.[2] security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook.[3]

Quick Facts Status, Year started ...

History

The Internet Draft was first submitted by Edwin Foudil in September 2017.[4] At that time it covered four directives, "Contact", "Encryption", "Disclosure" and "Acknowledgement". Foudil expected to add further directives based on feedback.[5] In addition, web security expert Scott Helme said he had seen positive feedback from the security community while use among the top 1 million websites was "as low as expected right now".[4]

In 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive that requires all federal agencies to publish a security.txt file within 180 days.[6][7]

The Internet Engineering Steering Group (IESG) issued a Last Call for security.txt in December 2019 which ended on January 6, 2020.[8]

A study in 2021 found that over ten percent of top-100 websites published a security.txt file, with the percentage of sites publishing the file decreasing as more websites were considered.[9] The study also noted a number of discrepancies between the standard and the content of the file.

In April 2022 the security.txt file has been accepted by Internet Engineering Task Force (IETF) as RFC 9116.[1]

File format

security.txt files can be served under the /.well-known/ directory (i.e. /.well-known/security.txt) or the top-level directory (i.e. /security.txt) of a website. The file must be served over HTTPS and in plaintext format.[10]

See also

References

  1. [1]
    Foudil, Edwin; Shafranovich, Yakov (6 April 2022). "RFC 9116 – A File Format to Aid in Security Vulnerability Disclosure". Datatracker.ietf.org.
  2. [2]
    "The Telltale Text File: Security Researcher Proposes Standard for Reporting Vulnerabilities". Security Intelligence. Retrieved 2019-04-14.
  3. [3]
    Cimpanu, Catalin (2019-11-29). "iOS apps could really benefit from the newly proposed Security.plist standard". ZDNet. Retrieved 2020-06-16.
  4. [4]
    Leyden, John (3 January 2018). "Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?". www.theregister.co.uk. Retrieved 2019-04-14.
  5. [5]
    "Security.txt Standard Proposed, Similar to Robots.txt". BleepingComputer. Retrieved 2019-04-14.
  6. [6]
    "CISA Seeks Comments on How Government Should Handle Vulnerability Reports". Decipher. Retrieved 2020-01-29.
  7. [7]
    Kuldell, Heather (2019-12-18). "CISA Still Wants Your Thoughts on Its Vulnerability Disclosure Policy". Nextgov.com. Retrieved 2020-01-29.
  8. [8]
    "Security.txt – IESG issues final call for comment on proposed vulnerability reporting standard". The Daily Swig | Cybersecurity news and views. 2019-12-12. Retrieved 2020-03-30.
  9. [9]
    Poteat, Tara; Li, Frank (November 2021). "Who you gonna call?: an empirical evaluation of website security.txt deployment". IMC '21: Proceedings of the 21st ACM Internet Measurement Conference. Internet Measurement Conference. Online: ACM. pp. 526–532. doi:10.1145/3487552.3487841.
  10. [10]
    "Characterizing the Adoption of Security.txt Files" (PDF). Characterizing the Adoption of Security.txt Files. 2022-02-11. Retrieved 2022-03-01.
Share this article:

This article uses material from the Wikipedia article Security.txt, and is written by contributors. Text is available under a CC BY-SA 4.0 International License; additional terms may apply. Images, videos and audio are available under their respective licenses.