|A File Format to Aid in Security Vulnerability Disclosure|
|First published||September 2017|
11 March 2021
security.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called "security.txt" in the well known location, similar in syntax to robots.txt but intended to be machine- and human-readable, for those wishing to contact a website's owner about security issues. security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook.
The Internet Draft was first submitted by Edwin Foudil in September 2017. At that time it covered four directives, "Contact", "Encryption", "Disclosure" and "Acknowledgement". Foudil expected to add further directives based on feedback. In addition, web security expert Scott Helme said he had seen positive feedback from the security community while use among the top 1 million websites was "as low as expected right now".
In 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive that requires all federal agencies to publish a security.txt file within 180 days.
A study in 2021 found that over ten percent of top-100 websites published a security.txt file, with the percentage of sites publishing the file decreasing as more websites were considered. The study also noted a number of discrepancies between the standard and the content of the file.
security.txt files can be served under the
/.well-known/ directory (i.e.
/.well-known/security.txt) or the top-level directory (i.e.
/security.txt) of a website. The file must be served over HTTPS and in plaintext format.
- at 13:47, John Leyden 3 Jan 2018. "Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?". www.theregister.co.uk. Retrieved 2019-04-14.
- "Security.txt Standard Proposed, Similar to Robots.txt". BleepingComputer. Retrieved 2019-04-14.
- "The Telltale Text File: Security Researcher Proposes Standard for Reporting Vulnerabilities". Security Intelligence. Retrieved 2019-04-14.
- Cimpanu, Catalin (2019-11-29). "iOS apps could really benefit from the newly proposed Security.plist standard". ZDNet. Retrieved 2020-06-16.
- "CISA Seeks Comments on How Government Should Handle Vulnerability Reports". Decipher. Retrieved 2020-01-29.
- Kuldell, Heather (2019-12-18). "CISA Still Wants Your Thoughts on Its Vulnerability Disclosure Policy". Nextgov.com. Retrieved 2020-01-29.
- "Security.txt – IESG issues final call for comment on proposed vulnerability reporting standard". The Daily Swig | Cybersecurity news and views. 2019-12-12. Retrieved 2020-03-30.
- Poteat, Tara; Li, Frank (November 2021). "Who you gonna call?: an empirical evaluation of website security.txt deployment". IMC '21: Proceedings of the 21st ACM Internet Measurement Conference. Internet Measurement Conference. Online: ACM. pp. 526–532. doi:10.1145/3487552.3487841.
- Foudil, Edwin; Shafranovich, Yakov (April 2022). "RFC 9116 – A File Format to Aid in Security Vulnerability Disclosure". Datatracker.ietf.org.
- "Characterizing the Adoption of Security.txt Files" (PDF). Characterizing the Adoption of Security.txt Files. 2022-02-11. Retrieved 2022-03-01.