Security is a difficult process and organisations don't always get it right, I think everyone can agree on that. What's important though is that when things inevitably do go wrong, those who want to contact you and let you know there is a problem can do so quickly and easily. This is what security.txt aims to allow.
Responsible Disclosure
I've been doing security research for a few years now and in that time I've had to reach out and contact numerous organisations to let them know they have a serious problem. I've found issues in ISP issued hardware like the EE BrightBox router (twice), holiday booking websites like Hotel Hippo and even utility providers like Ecotricity. Bad things happen and organisations need to respond quickly to resolve them but one things that's always slowed down the process was me not being able to find who I should speak to. I've been through call centres, online chats, support tickets systems, social media and who knows what else just to try and raise an issue with the right person. The process is a nightmare, consumes significant amounts of my time and ultimately leaves the website and users vulnerable for even longer. I'd love a simple way to be able to know who to contact in such incidents, and now we have one.
security.txt
The security.txt file is a simple text file, much like robots.txt, that contains crucial information on who to contact or where to look for security related information about a website. You can read the RFC and check out the securitytxt.org website for more details. Here are the contents of security.txt on my blog:
Contact: security@scotthelme.co.uk
Contact: https://twitter.com/Scott_Helme
Encryption: https://scotthelme.co.uk/contact/
That simple little piece of information gives a researcher exactly the information they need should they ever want to contact me. I also have the same files setup on Security Headers and Report URI. You can see all of my files at their addresses here:
https://scotthelme.co.uk/.well-known/security.txt
https://securityheaders.io/.well-known/security.txt
https://report-uri.com/.well-known/security.txt
The file is only supposed to be in the /.well-known/
path but I figured I'd put them alongside robots.txt
in the root too for good measure. If you or your organisation do have an email address that should be used for reporting security related matters then I'd highly recommend setting up a security.txt file. It's simple and easy to do, it's really not going to cost anything and it could save crucial time in the event of a researcher needing to get through to the appropriate person to report a serious problem. I did try to add a check to my crawler fleet to look for security.txt in the official /.well-known/
path but boy is there a lot of weird stuff going on out there!
The security.txt file hasn't been around long and there are already some really weird configurations out there! Here's a few:
— Scott Helme (@Scott_Helme) January 1, 2018
For now I need to find a better way of reliably detecting a proper security.txt file but the raw data is available in my crawler data if you're interested.