Imagine that a security expert found a security vulnerability on your company's website and wants to report it to you. Searching your social media accounts to deliver this report to you or explaining the problem to your customer service in a technical language will be a waste of time. At this point, you can speed up the process of fixing the security vulnerability with the security.txt file.
security.txt is a file that allows white hat hackers or security experts to report any security vulnerabilities which might be a part of accidental discovery or curiosity of whether data is safe. Although it has similarities in the syntax to robots.txt, it is proposed for website owners to communicate with security contacts readily. Thus, it is human readable.
In this article, we will answer any questions about the security.txt file.
Note: Edwin Foudil first published the security.txt file in September 2017. Its latest version was released in July 2019.
In this section, we will elucidate how to create the security.txt file and how its content should be written.
First, the security.txt file is intended to be Media Content-Type of "text/plain" .
The file can be located in the /.well-known/ directory of your website (https://securityforeveryone.com/.well-known/security.txt). Besides, another recommended redirection is /security.txt. security.txt file can be accessed directly from the root directory (https://securityforeveryone.com/security.txt). The main reason that we can access the file with a single name and the file is in a certain location is that the contacts that find the vulnerabilities do not waste time trying to reach you, and there is a common standard.
Moreover, the file must be served over HTTPS. Thus, all URLs in the file must begin with "HTTPS://"
Now, we are ready to examine the directives in our file and see what our file will look like.
There should be directives and corresponding values in our file. Contact is one of the 2 directives that must be included in the security.txt file. If you want your contacts to reach you in more than one way, you can add different contact addresses with the same directive key to your file. Don't forget to add "mailto:" for mails and "tel:" for phone numbers.
The information in the security.txt file may only be up to date for a certain period due to organizational changes. In this case, people who want to reach you may send you reports via the wrong contact addresses, which may cause a loss of time, information, and energy for both parties. It will be important to keep the expiration date updated with the changes on your file. This is the second mandatory directive for the security.txt file.
You may want to add Digital Signature to verify the authenticity of the data in your file. In this case, you can add the location where your file is located to the canonical directive to allow a digital signature.
You can add the PGP key directive if security researchers want to send their reports by encrypting them. If your password is provided via a link, do not forget to add "HTTPS: //".
PGP key for Security For Everyone:
Not a plain one, you can also put a link address:
It is the link that will allow security researchers to access your vulnerability disclosure policy.
Having access to your security policy can help researchers prepare their reports.
Since this part also specifies a web link, it must begin with "HTTPS://".
You can add a link to a page with the names of people or companies contributing to finding vulnerabilities in your organization and whom you owe a debt of thanks to.
You can leave a link where professionals interested in your company can apply to work with you.
You can add the languages used by your security team to this section by placing a comma between them. Using a common language will speed up the solution to the security problem.
It will be better to see everything together.
Although the keywords seem to be sufficient, you can add a comment line to your file. For this, just put a "#" at the beginning of the sentence you want to add as a comment.
An example security.txt file
The email value is an area that can be left blank. Set a URI as the value and link to your security policy if you're concerned about spam.
Using a security.txt file will give you extra control over your website when some vulnerabilities occurred. We are heading towards a world where trust in technology can decrease as much as it increases. In such a world, it would not be a flaw to take measures that may seem small but have a big impact. As Stephane Nappo said: Technology trust is a good thing, but control is a better one.