Have you ever wished that there was a universally recognized way of communicating your website security policies to ethical hackers, security researchers, and concerned users? Now, there is! In April 2022, researchers from the Internet Engineering Task Force (IETF) published their proposal for a standardized file for reporting security vulnerabilities. This proposal is called security.txt.
Many security researchers encounter situations where they are unable to report security vulnerabilities to organizations because they do not have any website security policies in place. This means that researchers simply do not know how to contact the owner of a particular resource.
Security.txt solves this problem. The standardized format provides website owners and organizations with a new, easily understandable means of publishing their vulnerability disclosure policy and contact details, which helps them to make the Internet a safer place.
In this article, we will delve into the fundamentals of security.txt, understanding what it is, its practical advantages, how it functions, and most importantly, how you can implement it on your own website.
What is security.txt?
In short, security.txt is a file written in a special text format that’s understandable by both machines and humans. Easy to create and publish, the file provides a clear format for an organization to communicate its current vulnerability policy. On top of that, a security.txt file also serves as a means for website owners to share their contact info with security investigators and ethical hackers.
The widespread use and adoption of security.txt is beneficial both for individual organizations as well as for the safety of the Internet at large. Cybersecurity experts expect the adoption of security.txt to lead to increased reporting of safety issues, and therefore reduce the number of incidents.
Advantages of security.txt
Adding a security.txt file to your website helps improve your website security as well as highlight the overall importance of security on the Internet.
- Improving your website security: More frequently than ever, security researchers find vulnerabilities in platforms, which could include yours. However, they do not know how to inform the asset owner, because there is no adequate contact information or vulnerability disclosure policy available on the site. By adding a security.txt file to their websites, organizations make it easy for security researchers to contact them. This, in turn, helps improve their online defenses.
- Highlighting the importance of security: Security is a core value of many companies, and rightly so. By adding a security.txt file to your website, you underscore your company’s commitment to a safer internet of tomorrow. It shows your customers and partners that you value a secure website and that you have an open, transparent approach to dealing with vulnerabilities.
How does a security.txt file work?
The security.txt framework is very simple. The format of the file consists only of a series of text lines. Each of these lines contains a field name and a field value. The file is always published at the following address: https://yourdomain.com/.well-known/security.txt, which makes it easy for security researchers to find it.
How to set up a security.txt file?
Generate your own security.txt file by following the steps below:
- Go to securitytxt.org.
- Fill in the fields on the page to create your own file:
- Contact: add a link or an email address through which people can reach out to you about security issues. Make sure this email address or link is a valid one!
- Expiration date: Add the date and time on which the information in your security.txt file is set to expire.
- The other fields (encryption, acknowledgments, canonical URL, preferred languages, link to vulnerability policy, and link to hiring page) are all optional. You can choose to fill in as many of these as you wish or leave them blank.
- Click on “Generate security.txt file” to generate your file.
- You are ready to go! Publish your security.txt file. If you want to give security researchers confidence that your file is authentic, and not planted by an attacker, the creators of security.txt recommend digitally signing the file with an OpenPGP cleartext signature.
- Make sure to periodically check the email address you mention in your security.txt file, as well as update the expiration date.
Openprovider and security.txt: embracing the future of online security
At Openprovider, we understand like no other that vulnerabilities are all around us. When it comes to cybersecurity, we see it as our job to stay in front and up-to-date. We firmly believe in the potential of security.txt to contribute to a secure website and a safer internet ecosystem at large. Therefore, we encourage you, and all domain owners, to implement this simple yet effective tool. You can easily generate your own security.txt file at securitytxt.org and publish it on your website today.
Openprovider has already published a security.txt file on our own website. We hope that more domain owners will follow in our footsteps in the future. If you have any questions or doubts about security.txt, you can find the answers to some frequently asked questions on securitytxt.org.