Security.txt Standard Proposed, Similar To Robots.txt (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Security.txt Standard Proposed, Similar To Robots.txt (bleepingcomputer.com)

Posted by EditorDavid on Saturday September 16, 2017 @05:46AM from the proposing-protocols dept.

An anonymous reader writes: Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies. The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers...

For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue. According to the current security.txt IETF draft, website owners would be able to create security.txt files that look like this:

#This is a comment Contact: security@example.com Contact: +1-201-555-0123 Contact: https://example.com/security Encryption: https://example.com/pgp-key.tx... Acknowledgement: https://example.com/acknowledg... Disclosure: Full

5 of 86 comments (clear)

Min score:

Reason:

Sort:

Spam! by markdavis · 2017-09-16 05:57 · Score: 5, Insightful

Yay! Zillions of more juicy Email addresses and phone numbers to collect and spam! Robots will sweep up all that data and hammer the "contacts" to death.
P3P redux by Donwulff · 2017-09-16 06:11 · Score: 3, Insightful

It's almost like https://www.w3.org/P3P/ wasn't already a thing that died with a whimper 10 years ago. On the other hand, an almost syntax-free text-file might gain some more traction, even if I fail to see how that's actually useful over some "About" or "Contact" link on the website menu.
Non problem by whoever57 · 2017-09-16 06:17 · Score: 4, Insightful

This is not a solution to any real problem.
The problem is companies that don't want to hear about vulnerabilities. Those companies are unlikely to put up security.txt entries.
"None so deaf as those that will not hear. None so blind as those that will not see." Matthew Henry.

--
The real "Libtards" are the Libertarians!
20 Years Too Late. Whois Already Exists. by Anonymous Coward · 2017-09-16 06:29 · Score: 3, Insightful

20 years ago this would have been a fantastic idea. In 2017, this is just another potential security hole. Spammers will scrape and hit those contacts hard.
Also, as another pointed out, may offer little protection, since hackers can, presumably, can alter the security.txt file too. It's not even signed, so how would one know which is the correct one? Presumably, Google, Microsoft, Apple, etc could maintain a security.txt registry and monitor changes. Then flag such changes in web browsers that can do such lookups. That could help, but increases the complexity. Whois, while far from perfect, already provides much same functionality.
Making contact easier is a worthy goal, but security.txt seems the wrong way to go about it.
Minus 1 for stupidity by Anonymous Coward · 2017-09-16 08:24 · Score: 2, Insightful

if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue.
This is based on the false assumption that websites actually care about security. 99.9% of all companies couldn't care less, as proven by the almost daily occurrence of breaches.