Report security related issues – security.txt

Keeping your business safe and secure is one of the hardest things you can do, especially if you develop or host web applications. The security landscape is ever changing, and new threats are immerging constantly. In today’s blog article we’re going to talk about a special text file called security.txt.  This text file, which is currently going through a proposed standard, hopefully become the defacto standard for reporting issues with security.

If you’ve not heard of this file before, this file can help security researchers and other people know who to contact if there is a security related issue. For example if you have developed a web application or have a website, and someone finds something wrong with it, for example a security vulnerability, its always good to have something in place which will tell people how to notify you.  This is where security.txt comes into play.

As mentioned the security.txt file is currently in draft as an internet standard, which is entitled “A File Format to Aid in Security Vulnerability Disclosure” and it allows a standardised way for people to inform companies about any security related issues relating to their business. The file is a plain text file and it contains information about how to contact the business.

Depending upon the nature of your business, the make up of teams and whether you subscribe to bug bounties, will vary what you put in the file. However, the file usually has contact information for a dedicated information security team, or IT support and it will contain email addresses, contact numbers and such as an example.

Within this file, you can also add security reporting polices, responsible disclosure guidelines and such as shown in our own security.txt file below:

Security.txt file

The file should be uploaded to the root domain of your website (or web application) for example domain/security.txt so people know where to look for it. Or the other standard location is domain/.well-known/security.txt

The website securitytxt.org actually have a generation tool which allows you to fill in some details and it will create a text file for you to save and upload to your site, making the process as easy and streamlined as possible.

I hope this helps you and was informative.  Any questions regarding this, feel free to contact us at: [email protected].