We’ve previously talked about the difficulties of vulnerability disclosure on our blog, and even published our own Responsible Disclosure Policy.
This blog talks about a new standard for finding this information - security.txt
Why?
After finding a vulnerability in a website or product we try to report it so it can get fixed!
Unfortunately, a major barrier to successfully doing this is finding where to report these vulnerabilities. Often there’s no information at all on who or where to report this to.
The security.txt project aims to address and fix this.
What?
Simply put - a security.txt file can be put on your website in an easy-to-find location (ours is at e2e-assure.com/.well-known/security.txt)
Now, with one file, you’ve provided the following (very) useful information to security researchers:
- Security contact
- Encryption key (optional)
- Acknowledgements information
- Disclosure policy information
- Signature
Wrap-up
This isn’t ground-breaking new information being shown here. However, making it easy to find can be the difference between someone reporting a vulnerability to you or deciding that it’s too difficult!
We have recently added a security.txt file to e2e-assure.com - and recommend you should too!
To find out more and generate your own security.txt file you can visit securitytxt.org