Recently, I came across below tweet from security expert Troy Hunt
— Troy Hunt (@troyhunt) February 3, 2018
The tweet talked about a file named
security.txt. I went on reading his post to understand what exactly is
security.txt and what problem does it solves.
So, what is Security.txt
No organization wants to be caught on a wrong foot when it comes to security. A data or security breach could lead to financial and reputation loss of a company. When a security researcher finds a potential breach or security vulnerability in an organization website/ application, he/she tries to contact the organization to “responsibly disclose” the issue. The disclosure is confidential in nature and allows the organization time to take appropriate action against the issue.
But, who does the security researcher reach out to? Usually, in scenarios like this, they would not prefer to reach out to the organization via a general “contact us” page on the website or emailing/ calling a customer care of the organization. They would rather like to reach out to someone in the organization who can take immediate action, someone with authority.
security.txt can come to rescue. The concept of
security.txt was proposed by security researcher Ed Foudil. According to his website, securitytxt.org:
The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.
The organizations can add
security.txt to their website to provide information of how or who security researchers can reach out to when they come across a security vulnerability on their website.
The website also provides an easy way to generate the security.txt file. The file needs to be added to the path
Many websites including Google have started adding
security.txt, maybe its time you should add one too 🙂