Developers propose security.txt standard for reporting security vulnerabilities
A group of developers has provided an official RFC draft for the security.txt standard. Security researchers have increasingly advocated this in recent years. A security.txt file contains information about accessing a vulnerability reporting site.
The Internet Engineering Task Force has released the text of the new standard put online. With RFC 9116, an important step has been taken to establish an official definition of what a security.txt file should contain. For the time being, it is still a document with an informational status, in which proposals are recorded. It is therefore not an official internet standard.
A security.txt file contains important information for security researchers who have discovered a vulnerability on a website. Security.txt is a text file that states which e-mail address a researcher can go to with a report. Many companies have a separate process for this, such as a responsible disclosure policy, but the way in which they have information about this online often differs per company. A security.txt file should provide a uniform way for researchers to find that information. It should also be possible to search for this automatically via the RFC standard.
The proposal to standardize the information comes from two developers, Edwin Foudil and Yakov Shafranovich of security company Nightwatch. They have been promoting the use of security.txt for years, pointing out that large companies such as google and facebook already use such a file. The founders also have set up a website which can automatically create a file for users.
The new standard states, among other things, what information should and should not be included in a security.txt file and in what format. For example, minimum contact information must be included. It must also contain an expiration date in which researchers can see when a file is no longer current. Optional additions include a PGP key, a link to the disclosure policy and to a thank you page to other researchers, a language preference, and a link to a security job posting page. It is also possible to enter alternative URLs to access the file. The standard also states that companies must place them in the /.well-known directory.