Security.txt explained

security.txt is an accepted standard for website security information that allows security researchers to report security vulnerabilities easily. The standard prescribes a text file called security.txt in the well known location, similar in syntax to robots.txt but intended to be machine- and human-readable, for those wishing to contact a website's owner about security issues.^[1] security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook.^[2]

History

The Internet Draft was first submitted by Edwin Foudil in September 2017.^[3] At that time it covered four directives, "Contact", "Encryption", "Disclosure" and "Acknowledgement". Foudil expected to add further directives based on feedback.^[4] In addition, web security expert Scott Helme said he had seen positive feedback from the security community while use among the top 1 million websites was "as low as expected right now".

In 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive that requires all federal agencies to publish a security.txt file within 180 days.^{[5] [6]}

The Internet Engineering Steering Group (IESG) issued a Last Call for security.txt in December 2019 which ended on January 6, 2020.^[7]

A study in 2021 found that over ten percent of top-100 websites published a security.txt file, with the percentage of sites publishing the file decreasing as more websites were considered.^[8] The study also noted a number of discrepancies between the standard and the content of the file.

In April 2022 the security.txt file has been accepted by Internet Engineering Task Force (IETF) as .

File format

security.txt files can be served under the /.well-known/ directory (i.e. /.well-known/security.txt) or the top-level directory (i.e. /security.txt) of a website. The file must be served over HTTPS and in plaintext format.^[9]

See also

• ads.txt
• humans.txt
• robots.txt

External links

• • Example of a security.txt file

Notes and References

1. Web site: The Telltale Text File: Security Researcher Proposes Standard for Reporting Vulnerabilities. Security Intelligence. en-US. 2019-04-14.
2. Web site: Cimpanu . Catalin . iOS apps could really benefit from the newly proposed Security.plist standard . ZDNet . 2019-11-29 . 2020-06-16.
3. Web site: John . Leyden . 3 January 2018 . Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell? . 2019-04-14 . www.theregister.co.uk . en.
4. Web site: Security.txt Standard Proposed, Similar to Robots.txt . 2019-04-14 . BleepingComputer . en-us.
5. Web site: CISA Seeks Comments on How Government Should Handle Vulnerability Reports . Decipher . 2020-01-29.
6. Web site: Kuldell . Heather . CISA Still Wants Your Thoughts on Its Vulnerability Disclosure Policy . Nextgov.com . 2019-12-18 . 2020-01-29.
7. Web site: Security.txt – IESG issues final call for comment on proposed vulnerability reporting standard . The Daily Swig | Cybersecurity news and views . 2019-12-12 . 2020-03-30.
8. Who you gonna call?: an empirical evaluation of website security.txt deployment . Poteat . Tara . Li . Frank . November 2021 . ACM . IMC '21: Proceedings of the 21st ACM Internet Measurement Conference . 526–532 . Online . 10.1145/3487552.3487841 . Internet Measurement Conference.
9. Web site: Characterizing the Adoption of Security.txt Files . Characterizing the Adoption of Security.txt Files . 2022-02-11 . 2022-03-01.