_ _ _ _____ ___ __ __ _(_) | _(_)___ / ( _ ) / /_ ___ ___ _ __ ___ \ \ /\ / / | |/ / | |_ \ / _ \| '_ \ / __/ _ \| '_ ` _ \ \ V V /| | <| |___) | (_) | (_) | (_| (_) | | | | | | \_/\_/ |_|_|\_\_|____/ \___/ \___(_)___\___/|_| |_| |_|
A File Format to Aid in Security Vulnerability Disclosure | |
Status | Published |
---|---|
Year started | 2017 |
First published | September 2017 |
Latest version | April 2022 |
Authors | Edwin Foudil |
Base standards | RFC 9116 |
Website | securitytxt |
security.txt is an accepted standard for website security information that allows security researchers to report security vulnerabilities easily.[1] The standard prescribes a text file called security.txt in the well known location, similar in syntax to robots.txt but intended to be machine- and human-readable, for those wishing to contact a website's owner about security issues.[2] security.txt files have been adopted by Google, GitHub, LinkedIn, and Facebook.[3]
The Internet Draft was first submitted by Edwin Foudil in September 2017.[4] At that time it covered four directives, "Contact", "Encryption", "Disclosure" and "Acknowledgement". Foudil expected to add further directives based on feedback.[5] In addition, web security expert Scott Helme said he had seen positive feedback from the security community while use among the top 1 million websites was "as low as expected right now".[4]
In 2019, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft binding operational directive that requires all federal agencies to publish a security.txt file within 180 days.[6][7]
The Internet Engineering Steering Group (IESG) issued a Last Call for security.txt in December 2019 which ended on January 6, 2020.[8]
A study in 2021 found that over ten percent of top-100 websites published a security.txt file, with the percentage of sites publishing the file decreasing as more websites were considered.[9] The study also noted a number of discrepancies between the standard and the content of the file.
In April 2022 the security.txt file has been accepted by Internet Engineering Task Force (IETF) as RFC 9116.[1]
security.txt files can be served under the /.well-known/
directory (i.e. /.well-known/security.txt
) or the top-level directory (i.e. /security.txt
) of a website. The file must be served over HTTPS and in plaintext format.[10]