|A Method for Web Security Policies|
|First published||September 2017|
11 March 2021
security.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called "security.txt" in the well known location, similar in syntax to robots.txt but intended to be read by humans wishing to contact a website's owner about security issues. security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook.
The Internet Draft was first submitted by Edwin Foudil in September 2017. At that time it covered four directives, "Contact", "Encryption", "Disclosure" and "Acknowledgement". Foudil expected to add further directives based on feedback. In addition, web security expert Scott Helme said he had seen positive feedback from the security community while use among the top 1 million websites was "as low as expected right now".
In 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive that requires all federal agencies to publish a security.txt file within 180 days.
- at 13:47, John Leyden 3 Jan 2018. "Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?". www.theregister.co.uk. Retrieved 2019-04-14.
- "Security.txt Standard Proposed, Similar to Robots.txt". BleepingComputer. Retrieved 2019-04-14.
- "The Telltale Text File: Security Researcher Proposes Standard for Reporting Vulnerabilities". Security Intelligence. Retrieved 2019-04-14.
- Cimpanu, Catalin (2019-11-29). "iOS apps could really benefit from the newly proposed Security.plist standard". ZDNet. Retrieved 2020-06-16.
- "CISA Seeks Comments on How Government Should Handle Vulnerability Reports". Decipher. Retrieved 2020-01-29.
- Kuldell, Heather (2019-12-18). "CISA Still Wants Your Thoughts on Its Vulnerability Disclosure Policy". Nextgov.com. Retrieved 2020-01-29.
- "Security.txt – IESG issues final call for comment on proposed vulnerability reporting standard". The Daily Swig | Cybersecurity news and views. 2019-12-12. Retrieved 2020-03-30.