security.txt

security.txt
A Method for Web Security Policies
	Example security.txt file
Status	Published
Year started	2017
First published	September 2017
Latest version	11; 11 March 2021
Authors	Edwin Foudil
Website	securitytxt.org

security.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities.^[1]^[2] The standard prescribes a text file called "security.txt" in the well known location, similar in syntax to robots.txt but intended to be read by humans wishing to contact a website's owner about security issues.^[3] security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook.^[4]

History[]

The Internet Draft was first submitted by Edwin Foudil in September 2017.^[1] At that time it covered four directives, "Contact", "Encryption", "Disclosure" and "Acknowledgement". Foudil expected to add further directives based on feedback.^[2] In addition, web security expert Scott Helme said he had seen positive feedback from the security community while use among the top 1 million websites was "as low as expected right now".^[1]

In 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive that requires all federal agencies to publish a security.txt file within 180 days.^[5]^[6]

The Internet Engineering Steering Group (IESG) issued a Last Call for security.txt in December 2019 which ended on January 6, 2020.^[7]

References[]

^ ^a ^b ^c at 13:47, John Leyden 3 Jan 2018. "Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?". www.theregister.co.uk. Retrieved 2019-04-14.
^ ^a ^b "Security.txt Standard Proposed, Similar to Robots.txt". BleepingComputer. Retrieved 2019-04-14.
^ "The Telltale Text File: Security Researcher Proposes Standard for Reporting Vulnerabilities". Security Intelligence. Retrieved 2019-04-14.
^ Cimpanu, Catalin (2019-11-29). "iOS apps could really benefit from the newly proposed Security.plist standard". ZDNet. Retrieved 2020-06-16.
^ "CISA Seeks Comments on How Government Should Handle Vulnerability Reports". Decipher. Retrieved 2020-01-29.
^ Kuldell, Heather (2019-12-18). "CISA Still Wants Your Thoughts on Its Vulnerability Disclosure Policy". Nextgov.com. Retrieved 2020-01-29.
^ "Security.txt – IESG issues final call for comment on proposed vulnerability reporting standard". The Daily Swig | Cybersecurity news and views. 2019-12-12. Retrieved 2020-03-30.

External links[]

Official website

[Register-1] t 13:47, John Leyden 3 Jan 2018. "Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?". www.theregister.co.uk. Retrieved 2019-04-14.

[BleepingComputer-2] "Security.txt Standard Proposed, Similar to Robots.txt". BleepingComputer. Retrieved 2019-04-14.

[3] "The Telltale Text File: Security Researcher Proposes Standard for Reporting Vulnerabilities". Security Intelligence. Retrieved 2019-04-14.

[Cimpanu_2019-4] Cimpanu, Catalin (2019-11-29). "iOS apps could really benefit from the newly proposed Security.plist standard". ZDNet. Retrieved 2020-06-16.

[Decipher-5] "CISA Seeks Comments on How Government Should Handle Vulnerability Reports". Decipher. Retrieved 2020-01-29.

[Kuldell_2019-6] Kuldell, Heather (2019-12-18). "CISA Still Wants Your Thoughts on Its Vulnerability Disclosure Policy". Nextgov.com. Retrieved 2020-01-29.

[The_Daily_Swig_|_Cybersecurity_news_and_views_2019-7] "Security.txt – IESG issues final call for comment on proposed vulnerability reporting standard". The Daily Swig | Cybersecurity news and views. 2019-12-12. Retrieved 2020-03-30.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

security.txt

Contents

History[]

See also[]

References[]

External links[]