Security.txt is an internet draft – currently under review – aiming to standardize and offer a common way of sharing contact information that can be used by security researchers – among other people – to contact companies and organizations – maybe even people – about security issues or vulnerabilities in their products.
“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.” (Quote Source)
The file format is simple. A text file named security.txt that lives under either
/.well-known/ or the root directory of your website. Taking my website as an example, that would mean the security.txt path could be:
The website securitytxt.org offers a neat tool that can help generate a security.txt file in a fast and intuitive manner. All you need to do once you have your file is to upload it to one of the two paths and make sure your web server allows public access to it.
The full list of organizations and entities that adopted the proposal is probably far too long, so here are a couple of notable adopters.
- Google: https://www.google.com/.well-known/security.txt
- LinkedIn: https://www.linkedin.com/.well-known/security.txt
- The Government of New Zealand: https://msd.govt.nz/.well-known/security.txt
- The UK's National Cyber Security Centre (NCSC): https://www.ncsc.gov.uk/.well-known/security.txt
- The Swedish Healthcare Help Line 1177.se: https://www.1177.se/.well-known/security.txt
- OVH: https://www.ovh.com/.well-known/security.txt
To find more examples, use this search query in Google: security.txt filetype:txt
- security.txt: Proposed standard for defining security policies (securitytxt.org)
- draft-foudil-securitytxt-12 (ietf.org)
- securitytxt/security-txt: A proposed standard that allows websites to define security policies. (github.com)
- What's security.txt and why you should have one | Michal Špaček (michalspacek.com)
- How to implement security.txt under .well-known in IIS – Gosso Developer Blog