Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security.txt Standard Proposed, Similar To Robots.txt (bleepingcomputer.com)

Posted by EditorDavid on from the proposing-protocols dept.

An anonymous reader writes: Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies. The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers...

For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue. According to the current security.txt IETF draft, website owners would be able to create security.txt files that look like this:

#This is a comment
Contact: security@example.com
Contact: +1-201-555-0123
Contact: https://example.com/security
Encryption: https://example.com/pgp-key.tx...
Acknowledgement: https://example.com/acknowledg...
Disclosure: Full

5 of 86 comments (clear)

  1. Spam! by markdavis · · Score: 5, Insightful

    Yay! Zillions of more juicy Email addresses and phone numbers to collect and spam! Robots will sweep up all that data and hammer the "contacts" to death.

    1. Re:Spam! by Anonymous Coward · · Score: 5, Funny

      No, the security.txt file will be excluded from crawling via the robots.txt file

    2. Re:Spam! by jmccue · · Score: 5, Funny

      For US sites, how about adding the Admin's SSN, their address and their Mother's Maiden names ? That way we can really know the file is genuine

  2. Non problem by whoever57 · · Score: 4, Insightful

    This is not a solution to any real problem.

    The problem is companies that don't want to hear about vulnerabilities. Those companies are unlikely to put up security.txt entries.

    "None so deaf as those that will not hear. None so blind as those that will not see." Matthew Henry.

    --
    The real "Libtards" are the Libertarians!
  3. Better idea by corychristison · · Score: 5, Interesting

    Here's a better idea:

    Put the security.txt above the server's Document Root. That way you'd actually have to hack/exploit the server to get at the security contact's information.