Security.txt is a proposed standard which allows websites to define security policies. The security.txt file sets clear guidelines for security researchers on how to report security issues, and allows bug bounty programs to define a scope. Security.txt is the equivalent of
robots.txt, but for security issues.
“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. Security.txt defines a standard to help organizations define the process for security researchers to securely disclose security vulnerabilities.”
Internet draft website: https://securitytxt.io/ (https://github.com/securitytxt/security-txt/tree/master/docs)
Security.txt GitHub Organization
The Internet draft for security.txt can be found here: https://tools.ietf.org/html/draft-foudil-securitytxt-03.
There is a mailing list for the security.txt project: https://www.freelists.org/list/securitytxt.
Building the Draft
To build the text and HTML drafts, use the following make command.
$ make clean $ make txt $ make html
This requires that you have the necessary software installed. See the instructions.
What is the main purpose of
The main purpose of
security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to
security.txt, security researchers can easily get in touch with companies about security issues.
security.txt supposed to replace bug bounty platforms?
No. Security.txt is supposed to accompany them.
Code of conduct
To maintain an orderly, productive, and fun environment, the security.txt project have a few guidelines that we ask people to adhere to when they are participating in contributing to the project. These guidelines apply equally to everyone within the security.txt project. Likewise, they apply to all spaces managed by the security.txt project, both online and offline. This includes GitHub repositories, chat rooms, in-person events, and any other communication channels.
- Be welcoming, friendly, patient, and kind.
- Be respectful.
- Be cautious with how you word things. Our goal is to remain professional.
- When we disagree, try to understand why.
- Direct contributions to the specification will only be accepted from individuals . The security.txt project will not accept contributions to the specification in the name of an organisation. This is to ensure that the specifications and tools remain as neutral as possible.
- Registering an account on any service in the name of the security.txt project must be clearly communicated via the team first. Only verified accounts on the security.txt project's Keybase account are affiliated with the project.
Contributions from the public are welcome.
Using the issue tracker
Issues and labels
The bug tracker utilizes several labels to help organize and identify issues.
Guidelines for bug reports
Use the GitHub issue search — check if the issue has already been reported.
We also accept Bitcoin and Ethereum donations: