Security.txt is a file that is placed in your website root directory to help security researchers report security issues and bugs that they discover.
Security.txt was founded by E. Foudil and Yakov Shafranovich in 2017. The first draft of the standard was published on Feb 11, 2018, on GitHub.
In brief, Security.txt, just like Robots.txt intends to become the standard file that security experts and researchers can use to report website security issues that they discover. Initially, it was difficult to get the correct contacts to report a security issue.
Big popular tech companies like Google, Facebook, GitHub, WordPress, Amazon, etc. that are currently using Security.txt, have bug bounty programs where they reward security researchers for disclosing vulnerabilities or bugs.
What is included in the Security.txt file?
Some of the details contained in the Security.txt file include;
- Acknowledgments: This is where you can list security researchers that have disclosed vulnerabilities.
- Policy: This a page that contains past reported vulnerabilities. Be careful not to disclose detailed information that would lead to more attacks.
- Canonical: This is the URL to the security.txt page. For example https://github.com/.well-known/security.txt.
- Contact: These are the contact options that security researchers can use to reach you. You can use an email in this format: mailto:firstname.lastname@example.org or telephone number in this format: tel:+1-201-555-0123 or contact page beginning with https://.
- Encryption: If you want researchers to use encrypted communication you can add an encryption key.
- Expires: This indicates the dates and time which information contained in the security.txt file expire. The format of the date should be in ISO 8601. For example; Expires: 2022-04-27T07:20:02+00:00
More detailed information on security.txt file format.
Example of security.txt file format used by Github
- Contact: https://hackerone.com/github
- Acknowledgments: https://bounty.github.com/bounty-hunters.html
- Preferred-Languages: en
- Canonical: https://github.com/.well-known/security.txt
- Policy: https://bounty.github.com
How to create Security.txt file
To create a security.txt file, follow the procedure below,
- Go to your websites root folder
- Create a folder called .well-known
- Then create a file inside the folder named security.txt
- The file path should look something like this: /.well-known/security.txt
- Then add these basic details to the file as explained above
You can also use this form to generate a security.txt file with an encryption key.
NOTE 1: The security.txt file should be in text/plain format and your website should be using HTTPS.
NOTE 2: If you are worried about scrapers or spammers harvesting emails used in the security.txt file, then add a URL to the contact page or form instead of an email.
Before you leave, Subscribe to our Newsletter to be updated via email when Blogging Tools you use to run your blog release new features or make critical changes. For any question about this post, or anything else related to website technologies, we are responding on Reddit or comment below.
Leave a Reply