Internet project security.txt - getting to know another .well-known file

The main idea of ​​the project is to formalize the interaction between internal information security and external researchers, giving a clear indication of how and where to send information about vulnerabilities or security issues. Formalization of interaction is a serious problem, not all sites have bug bounty programs, or even simply indicate the contacts of security specialists. And attempts to reach through the support service and twitter often end with assurances that "Everything is as it should be," and subsequent ignoring.

Of course, this will only work if the company hosting the information in security.txt is ready to check and respond in a timely manner to the information received through this channel.



The development of the standard has been underway since August 2017, while it is only an Internet project ( Internet Draft) and he is not assigned his own RFC number. Despite this, several large companies such as Google , Dropbox , Pixiv already use it . In RuNet, I managed to find Goloslogos , Clean Line , Top Deck , and Drive2 .

The following information is suggested in security.txt:

• Contact method : link to the feedback form, bug bounty program or mailing address (this is the only required item)
• PGP public key : for encryption of sensitive information
• Hall of Fame Link : for appreciation
• Languages ​​for communication : it is possible to specify several
• Link to security.txt itself : required for authentication if you have verified it with a digital signature
• Security policy link : if your resource has one
• Link to vacancies : if you are looking for security professionals

The form on the official website can help with the generation of the file in the correct format.

Links:

→ Official website
→ IETF project text
→ Project github