What is a Security.txt File?
Organizations adopt a wide variety of disclosure policies and cybersecurity practices, but these are often a mystery to the security researchers tasked with informing an organization about security vulnerabilities or data leaks. A common scenario is a security researcher finding sensitive information from an organization for sale on the dark web and then they ask the standard question: “Who should I report this to?” In order to address this and to provide some standards and transparency in cybersecurity, the Internet Engineering Task Force (IETF) is drafting a standard that supports the application of the machine-parsable format “security.txt” to, “…help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.”1 The concept of security.txt is quite simple. Organizations place a file titled security.txt in a predictable and conspicuous place on their website so that it is easy for security researchers to find it. The contents of the security.txt will vary depending on what policies and programs that an organization wishes to address. Generally, links to information about the organization’s vulnerability disclosure policies will be there, as well as contact information. Opening Google’s security.txt file you will find a stark page with links to contacts, encryption, acknowledgements, policy, and hiring. Gotsecuritytxt.com scans the top 250 sites daily, looking for their security.txt files, if you would like to see more examples.2While the IETF standard is still in draft form and has not yet been officially adopted, many organizations have forged ahead and created security.txt files in anticipation of this forthcoming guidance. That said, many more have not done so. One of the reasons for this is that the security.txt file seems to invite a large volume of spam emails, primarily from self-appointed penetration testers who run automated vulnerability discovery tools and submit the resulting reports in hopes of securing a bug bounty fee or a consulting engagement.3 This unfortunately can result in valid reports being buried in an avalanche of sub-par auto-generated reports. To combat this, create filters with keywords that are routinely found in the auto-generated reports so that they can be categorized or ignored.Even though the bugs have not yet been worked out of this approach to bug-reporting, it is worthwhile to consider getting in front of this standard that is on its way. The security.txt file provides security researchers with the information that they need to alert you swiftly to a vulnerability or breach, allowing you to respond quickly and, hopefully, prevent or minimize damage.
1 IETF, 2021, “A File Format to Aid in Security Vulnerability Disclosure draft-foudil-securitytxt-12”2 Gotsecuritytxt.com, 2021, “What is a security.txt. file?3 Krebs, 2021, “Does Your Organization Have a Security.txt file?”