Does your website have a security.txt file to let security researchers know how to responsibly contact you regarding security vulnerabilities on your site?
This week I had to complete a security assessment for a potential client. It was the first time I’d seen a questionnaire ask if we had a security.txt file.
RFC 9116 specifies a file in the .well-known/security.txt path of a website to, as the RFC title says, aid in security vulnerability disclosure.
Here’s an example. This is the security file Google publishes at https://www.google.com/.well-known/security.txt:
Contact: https://g.co/vulnz
Contact: mailto:[email protected]
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgments: https://bughunters.google.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobs
Expires: 2030-04-01T00:00:00z
This file contains:
- Provides contact information where you can directly contact Google if you’d found a security vulnerability.
- Their public PGP encryption key so that you can send them encrypted messages.
- Their public Acknowledgements page, thanking security researchers who have reported bugs in the past.
- Their security policies
- A link to their job postings for security related positions.
One of the features of this standard I really like is the Expires value. You can use this to make sure that this file doesn’t get forgotten with old contact information in it for someone who is no longer at the company, or with a PGP key that someone lost years ago.
You can use automation to warn you when your security.txt is approaching expiry or throw errors once expired, giving you a chance to review it.
For more information about the standard, go to https://securitytxt.org/
