security.txt
A File Format to Aid in Security Vulnerability Disclosure | |
Example security.txt file | |
Status | Published |
---|---|
Year started | 2017 |
First published | September 2017 |
Latest version | 12 11 March 2021 |
Authors | Edwin Foudil |
Website | securitytxt |
security.txt is an accepted standard for website security information that is meant to allow security researchers to easily report security vulnerabilities.[1] The standard prescribes a text file called security.txt in the well known location, similar in syntax to robots.txt but intended to be machine- and human-readable, for those wishing to contact a website's owner about security issues.[2] security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook.[3]
History
The Internet Draft was first submitted by Edwin Foudil in September 2017.[4] At that time it covered four directives, "Contact", "Encryption", "Disclosure" and "Acknowledgement". Foudil expected to add further directives based on feedback.[5] In addition, web security expert Scott Helme said he had seen positive feedback from the security community while use among the top 1 million websites was "as low as expected right now".[4]
In 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive that requires all federal agencies to publish a security.txt file within 180 days.[6][7]
The Internet Engineering Steering Group (IESG) issued a Last Call for security.txt in December 2019 which ended on January 6, 2020.[8]
A study in 2021 found that over ten percent of top-100 websites published a security.txt file, with the percentage of sites publishing the file decreasing as more websites were considered.[9] The study also noted a number of discrepancies between the standard and the content of the file.
In April 2022 the security.txt file has been accepted by Internet Engineering Task Force (IETF) as RFC 9116.[1]
File format
security.txt files can be served under the /.well-known/
directory (i.e. /.well-known/security.txt
) or the top-level directory (i.e. /security.txt
) of a website. The file must be served over HTTPS and in plaintext format.[10]
See also
- ads.txt
- humans.txt
- robots.txt
References
- ↑ 1.0 1.1 Foudil, Edwin; Shafranovich, Yakov (6 April 2022). RFC 9116 – A File Format to Aid in Security Vulnerability Disclosure. https://datatracker.ietf.org/doc/rfc9116/.
- ↑ "The Telltale Text File: Security Researcher Proposes Standard for Reporting Vulnerabilities" (in en-US). https://securityintelligence.com/news/the-telltale-text-file-security-researcher-proposes-standardization-for-reporting-vulnerabilities/.
- ↑ Cimpanu, Catalin (2019-11-29). "iOS apps could really benefit from the newly proposed Security.plist standard". https://www.zdnet.com/article/ios-apps-could-really-benefit-from-the-newly-proposed-security-plist-standard/.
- ↑ 4.0 4.1 at 13:47, John Leyden 3 Jan 2018. "Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?" (in en). https://www.theregister.co.uk/2018/01/03/security_notification_scheme/.
- ↑ "Security.txt Standard Proposed, Similar to Robots.txt" (in en-us). https://www.bleepingcomputer.com/news/security/security-txt-standard-proposed-similar-to-robots-txt/.
- ↑ "CISA Seeks Comments on How Government Should Handle Vulnerability Reports". https://duo.com/decipher/cisa-seeks-comments-on-how-government-should-handle-vulnerability-reports.
- ↑ Kuldell, Heather (2019-12-18). "CISA Still Wants Your Thoughts on Its Vulnerability Disclosure Policy". https://www.nextgov.com/cybersecurity/2019/12/cisa-still-wants-your-thoughts-its-vulnerability-disclosure-policy/161989/.
- ↑ "Security.txt – IESG issues final call for comment on proposed vulnerability reporting standard". 2019-12-12. https://portswigger.net/daily-swig/security-txt-iesg-issues-final-call-for-comment-on-proposed-vulnerability-reporting-standard.
- ↑ Poteat, Tara; Li, Frank (November 2021). "Who you gonna call?: an empirical evaluation of website security.txt deployment". Internet Measurement Conference. Online: ACM. pp. 526–532. doi:10.1145/3487552.3487841. https://dl.acm.org/doi/abs/10.1145/3487552.3487841.
- ↑ "Characterizing the Adoption of Security.txt Files". 2022-02-11. https://people.scs.carleton.ca/~abdou/findlay2022_madweb_authors_copy.pdf.
External links