Imagine that a security expert found a security vulnerability on your company's website and wants to report it to you. Searching your social media accounts to deliver this report to you or explaining the problem to your customer service in a technical language will be a waste of time. At this point, you can speed up the process of fixing the security vulnerability with the security.txt file.
security.txt is a file that allows white hat hackers or security experts to report any security vulnerabilities which might be a part of accidental discovery or curiosity of whether data is safe. Although it has similarities in the syntax to robots.txt, it is proposed for website owners to communicate with security contacts readily. Thus, it is human readable.
In this article, we will answer any questions about the security.txt file.
Note: Edwin Foudil first published the security.txt file in September 2017. Its latest version was released in July 2019.
How to Create One?
In this section, we will elucidate how to create the security.txt file and how its content should be written.
First, the security.txt file is intended to be Media Content-Type of "text/plain" .
The file can be located in the /.well-known/ directory of your website (https://securityforeveryone.com/.well-known/security.txt). Besides, another recommended redirection is /security.txt. security.txt file can be accessed directly from the root directory (https://securityforeveryone.com/security.txt). The main reason that we can access the file with a single name and the file is in a certain location is that the contacts that find the vulnerabilities do not waste time trying to reach you, and there is a common standard.
Moreover, the file must be served over HTTPS. Thus, all URLs in the file must begin with "HTTPS://"
Now, we are ready to examine the directives in our file and see what our file will look like.
Contact
There should be directives and corresponding values in our file. Contact is one of the 2 directives that must be included in the security.txt file. If you want your contacts to reach you in more than one way, you can add different contact addresses with the same directive key to your file. Don't forget to add "mailto:" for mails and "tel:" for phone numbers.
Contact: Tel: +1 1234567 (Add a contact number if there is one)
Contact: mailto: [email protected]
Expires
The information in the security.txt file may only be up to date for a certain period due to organizational changes. In this case, people who want to reach you may send you reports via the wrong contact addresses, which may cause a loss of time, information, and energy for both parties. It will be important to keep the expiration date updated with the changes on your file. This is the second mandatory directive for the security.txt file.
Canonical and Digital Signature
You may want to add Digital Signature to verify the authenticity of the data in your file. In this case, you can add the location where your file is located to the canonical directive to allow a digital signature.
Encryption
You can add the PGP key directive if security researchers want to send their reports by encrypting them. If your password is provided via a link, do not forget to add "HTTPS: //".
PGP key for Security For Everyone:
DMEXsE5kRYJKwYBBAHaRw8BAQdA5XxNazdc0XIA187TJPb i+1qYXF27SOdgjJcmzzOYEuW0P1NlY3VyaXR5IEZvciBFdmVyeW9uZSAtIFN1cHB vcnQgPGhlbGxvQHNlY3VyaXR5Zm9yZXZlcnlvbmUuY29tPoiQBBMWCAA4FiEEob FwcNqXllj1m058sWT8MI+SoM0FAl7BOZECGwMFCwkIBwIGFQoJCAsCBBYCAwECH gECF4AACgkQsWT8MI+SoM12AgD/bOHgGOZKpirUpRAEXz0PZOMhLBClfhe71MeQ sffzArkA/jV47RJLkNhF3uoD8umXDrd4RLfu0JBifFMZMB2iLr0AuDgEXsE5kRI KKwYBBAGXVQEFAQEHQJ/NvmARDW1N3z+FVWj+E5F8O48pOC7NFfWi2iUyZh4fAw EIB4h4BBgWCAAgFiEEobFwcNqXllj1m058sWT8MI+SoM0FAl7BOZECGwwACgkQs WT8MI+SoM3DFwD/Yj8e9TKwcX6ss+Uttya+ad9uH01Yq/twIA+9lrNoZEwBANus x5Y+7VDz+9KbIqPp9YrLr+PUEYPOTCPYogjQ6+MA=fv/J
Not a plain one, you can also put a link address:
Policy
It is the link that will allow security researchers to access your vulnerability disclosure policy.
Having access to your security policy can help researchers prepare their reports.
Since this part also specifies a web link, it must begin with "HTTPS://".
Acknowledgments
You can add a link to a page with the names of people or companies contributing to finding vulnerabilities in your organization and whom you owe a debt of thanks to.
Hiring
You can leave a link where professionals interested in your company can apply to work with you.
Preferred Languages
You can add the languages used by your security team to this section by placing a comma between them. Using a common language will speed up the solution to the security problem.
It will be better to see everything together.
Contact: mailto: [email protected]
Expires: Wed, 23 Jan 2021 10:00:00
Canonical: https://www.securityforeveryone.com/.well-known/security.txt
Encryption: https://static.securityforeveryone.com/0xB164FC308F92A0CD.asc
Policy: https://securityforeveryone.com/privacy-policy
Preferred-Languages: en, de
Should it be clearer?
Although the keywords seem to be sufficient, you can add a comment line to your file. For this, just put a "#" at the beginning of the sentence you want to add as a comment.
An example security.txt file
# An example security.txt file
# Contact us about the flaw
Contact: https://securityforeveryone.com/contact
Contact: mailto: [email protected]
# Expiration date
Expires: Wed, 23 Jan 2021 10:00:00
Canonical: https://www.securityforeveryone.com/.well-known/security.txt
# Contact us with a PGP key
Encryption: https://static.securityforeveryone.com/web/public/0xB164FC308F92A0CD.asc
# Look at our security policy
Policy: https://securityforeveryone.com/privacy-policy
Preferred-Languages: en, de
What About Bots?
The email value is an area that can be left blank. Set a URI as the value and link to your security policy if you're concerned about spam.
Conclusion
Using a security.txt file will give you extra control over your website when some vulnerabilities occurred. We are heading towards a world where trust in technology can decrease as much as it increases. In such a world, it would not be a flaw to take measures that may seem small but have a big impact. As Stephane Nappo said: Technology trust is a good thing, but control is a better one.
control security posture