A security researcher has proposed a new internet standard whereby website owners would publish a security.txt file offering guidance on how to report and disclose vulnerabilities.

The draft proposal by Ed Foudil was published by the Network Working Group of the Internet Engineering Task Force (IETF).

Foudil believed a security.txt file could operate in a similar fashion to robots.txt, which guides web spiders when they index sites.

“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them,” Foudil noted.

What is the main purpose of security.txt?

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

Where should I put the security.txt file?

The /security.txt file should be located under /.well-known/ (/.well-known/security.txt) [RFC5785].

http://example.com/.well-known/security.txt

Is security.txt supposed to replace bug bounty platforms?

No. Security.txt is supposed to accompany them. You can use the Platform: option to link to your bug bounty program.

The Internet draft for security.txt can be found here. Everything listed below will remain here in order to keep the discussion active and to keep track of the project’s progress.

Ed Foudil on Github