security.txt
A File Format to Aid in Security Vulnerability Disclosure
Example security.txt file
StatusPublished
Year started2017
First publishedSeptember 2017
Latest versionApril 2022
AuthorsEdwin Foudil
Base standardsRFC 9116
Websitesecuritytxt.org

security.txt is an accepted standard for website security information that allows security researchers to report security vulnerabilities easily.[1] The standard prescribes a text file called security.txt in the well known location, similar in syntax to robots.txt but intended to be machine- and human-readable, for those wishing to contact a website's owner about security issues.[2] security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook.[3]

History

The Internet Draft was first submitted by Edwin Foudil in September 2017.[4] At that time it covered four directives, "Contact", "Encryption", "Disclosure" and "Acknowledgement". Foudil expected to add further directives based on feedback.[5] In addition, web security expert Scott Helme said he had seen positive feedback from the security community while use among the top 1 million websites was "as low as expected right now".[4]

In 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive that requires all federal agencies to publish a security.txt file within 180 days.[6][7]

The Internet Engineering Steering Group (IESG) issued a Last Call for security.txt in December 2019 which ended on January 6, 2020.[8]

A study in 2021 found that over ten percent of top-100 websites published a security.txt file, with the percentage of sites publishing the file decreasing as more websites were considered.[9] The study also noted a number of discrepancies between the standard and the content of the file.

In April 2022 the security.txt file has been accepted by Internet Engineering Task Force (IETF) as RFC 9116.[1]

File format

security.txt files can be served under the /.well-known/ directory (i.e. /.well-known/security.txt) or the top-level directory (i.e. /security.txt) of a website. The file must be served over HTTPS and in plaintext format.[10]

See also

References

  1. ^ a b Foudil, Edwin; Shafranovich, Yakov (April 2022). A File Format to Aid in Security Vulnerability Disclosure. Internet Engineering Task Force. doi:10.17487/RFC9116. ISSN 2070-1721. RFC 9116. Informational.
  2. ^ "The Telltale Text File: Security Researcher Proposes Standard for Reporting Vulnerabilities". Security Intelligence. Retrieved 2019-04-14.
  3. ^ Cimpanu, Catalin (2019-11-29). "iOS apps could really benefit from the newly proposed Security.plist standard". ZDNet. Retrieved 2020-06-16.
  4. ^ a b Leyden, John (3 January 2018). "Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?". www.theregister.co.uk. Retrieved 2019-04-14.
  5. ^ "Security.txt Standard Proposed, Similar to Robots.txt". BleepingComputer. Retrieved 2019-04-14.
  6. ^ "CISA Seeks Comments on How Government Should Handle Vulnerability Reports". Decipher. Retrieved 2020-01-29.
  7. ^ Kuldell, Heather (2019-12-18). "CISA Still Wants Your Thoughts on Its Vulnerability Disclosure Policy". Nextgov.com. Retrieved 2020-01-29.
  8. ^ "Security.txt – IESG issues final call for comment on proposed vulnerability reporting standard". The Daily Swig | Cybersecurity news and views. 2019-12-12. Retrieved 2020-03-30.
  9. ^ Poteat, Tara; Li, Frank (November 2021). "Who you gonna call?: an empirical evaluation of website security.txt deployment". IMC '21: Proceedings of the 21st ACM Internet Measurement Conference. Internet Measurement Conference. Online: ACM. pp. 526–532. doi:10.1145/3487552.3487841.
  10. ^ "Characterizing the Adoption of Security.txt Files" (PDF). Characterizing the Adoption of Security.txt Files. 2022-02-11. Retrieved 2022-03-01.