Web security policy looks to streamline communication between researchers and organizations

The Internet Engineering Steering Group (IESG) has issued a final call for comment on security.txt, a web security policy that aims to make the vulnerability disclosure process as simple as possible for researchers.

Interested parties have less than a month to submit comment on the policy, which, after having gained traction over recent years, may soon become a recommended vulnerability disclosure reporting standard for all websites.

The proposal, ‘A Method for Web Security Policies’, has been designed to improve the communication channels that independent researchers currently use to disclose vulnerabilities and other bugs found in web services.

This would be done through a standardized file that organizations and site admins simply add to their websites – security.txt.

“The security.txt file sets clear guidelines for security researchers on how to report security issues,
and allows bug bounty programs to define a scope,” the GitHub page for the proposed standard states.

“Thanks to security.txt, security researchers can easily get in touch with companies about security issues.”

Clear and simple guidance

The vulnerability disclosure process is a well-known nightmare for researchers, who often find themselves unable to inform an organization about security bugs due to a lack of clear (and secure) guidance.

“Bad things happen and organizations need to respond quickly to resolve them but one things that’s always slowed down the process was me not being able to find who I should speak to,” security researcher Scott Helme commented in a blog post published last year.

The result is that many vulnerabilities go unreported, and the chaotic loop of firefighting zero-days and disclosure of colossal data breaches remains unbroken.

security.txt aims to be a ‘one-stop shop’ for an organization’s vulnerability disclosure policy (VDP) and provide contact information not limited to email, the proposal states.

“The file is named security.txt, and this file SHOULD be placed under the /.well-known/ path (/.well-known/security.txt) [RFC8615] of a domain name or IP address for web properties,” it adds on the file’s specification.

“For legacy compatibility, a security.txt file might be placed at the top level path.”

Easy as .txt

A draft of the security.txt standard was first proposed in 2017 by Edwin Foudil, and has already been implemented on websites by organizations that maintain a VDP.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has also included mandatory security.txt deployment within its recently published directive, which would require all federal agencies to publish a VDP.

security.txt files should be published at the /.well-known/ path of an agency’s primary .gov domain, CISA reiterates.

The file will additionally assist the US cybersecurity body with knowing who has complied with the directive that is soliciting comment at present.

The IESG’s call for comment ends on January 6, 2020.

More information can be found on the security.txt project website.


YOU MAY ALSO LIKE US federal agencies to publish vulnerability disclosure policy