The record is similar to robots.txt, a model used by websites to describe and establish policies for web and search engine crawlers.
Security.txt is for security-related problems
The difference among security.txt and robots.txt is that security.txt will be used to reach a company’s security practices only, and is expected to be read by humans, preferably than automated scanners.
For example, if a security researcher discovers a security vulnerability on a website, he can enter the site’s security.txt file for data on how to contact the company and securely report the issue.
According to the popular IETF draft, website proprietors would be able to create security.txt files that look like this:
#This is a comment Contact: [email protected] Contact: +123456789 Contact: https://example.com/security Encryption: https://example.com/pgp-key.txt Acknowledgement: https://example.com/acknowledgements.html Disclosure: Full
Speaking to News, Foudil says he developed up with the idea after visiting the DEF CON security discussion and the H1702 CTF event in the US at the start of August.
“During that interval, I was thinking on the amazing offerings some of the people from the events in Las Vegas make to the security business and our community as a whole,” Foudil told News. “This prompted me to stop putting my ideas to myself and start working on designs and sharing my ideas.”
Projects like SECURITY.md and BUG-BOUNTY.md files attached to GitHub containers to describe security policies were also a significant inspiration.
This is when Foudil put together a first variant of the security.txt designation that he later published on GitHub. Early feedback from the IT security industry changed the researcher to go on.
“When x0rz well-known security researcher tweeted about my project I realized that this was something users really needed and that it was a chance to start writing up an RFC draft,” Foudil said.
The researcher had lots of guidance from people in the industry. Foudil says feedback from HackerOne, Bugcrowd, Google, and others helped him develop his IETF proposal.
The modern IETF draft of security.txt only introduces support for four directives (Contact, Encryption, Disclosure, and Acknowledgement). The security.txt GitHub repo lists many more directives, such as In-scope, Out-of-scope-vuln, Rate-limit, Platform, Reward, Payment-method, Currency, Donate, and Disallow.
Take your time to comment on this article.