Your web application is under the constant thread of hackers. It does not matter if you have a small pet project application on the internet or a big commercial site. As soon as it is accessible from the internet, someone will attack it.
Sometimes we get lucky, and someone finds a security issue and wants to report it. But where should they report it to? The address [email protected] may be processed by someone without any knowledge of IT or security and ignores the report.
A good and simple solution to this problem is the proposed standard security.txt, that allows websites to disclose a way to communicate about security related aspects:
security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.
Even better, all you need to do is to add a file at .well-known/security.txt with a content like this:
Contact: mailto:[email protected]
Expires: 2024-03-31T21:59:00.000Z
Preferred-Languages: en, de
That is the minimalistic info you need to have in your security.txt file. You can add more details like in the example from https://securitytxt.org/.well-known/security.txt:
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512Contact: https://hackerone.com/ed
Expires: 2023-03-14T00:00:00.000Z
Acknowledgments: https://hackerone.com/ed/thanks
Preferred-Languages: en, fr, de
Canonical: https://securitytxt.org/.well-known/security.txt
Policy: https://hackerone.com/ed?type=team&view_policy=true
—–BEGIN PGP SIGNATURE—–iHUEARYKAB0WIQSsP2kEdoKDVFpSg6u3rK+YCkjapwUCYhjpQwAKCRC3rK+YCkja
pyk2AP97ePaFUo8K8e1D+N+G6caqXjC/pwnZB+Wkk15AI+xstgD/VR5rOLKLZ7QF
gKk5ohVS7qHou8Ux9cdodY2BRUIdrww=
=gFfQ
—–END PGP SIGNATURE—–
Conclusion
I like this approach very much and think everyone should add a security.txt file to their web application or web services. It does not take much effort and helps the people who want to report a security problem immensely.
2 thoughts on “Add a security.txt to Your Web Applications”