What is a security txt file
Almost all websites have a number of txt files in the wwwroot of the installation. This can be a readme file that came with the installation, an ads.txt for passing information to advertisers or a robots.txt file that ensures that the website is indexed correctly. The function of a security.txt file is to ensure that it is clear how and where to report a digital vulnerability. Often this is a security vulnerability within the application or a configuration error that allows misuse. In this article, let's cover how this works, and how you can start using it with your website.
Not every hacker is out to abuse your website. There are also a lot of individuals and often programs written by individuals who scan the web for vulnerabilities and then report them to the appropriate party. This is precisely to prevent abuse. However, it is not always clear where you can report vulnerabilities. Therefore, a security.txt file is one way to ensure that this information is available. This file contains instructions on how to get in touch with the appropriate department so that it can be addressed and resolved.
After finding a leak or vulnerability, it can be handled in a few different ways.
Part of Responsible Disclosure
There are several ways for an ethical hacker to disclose a vulnerability within the application, this can be done in the following three ways.
Full Disclosure or full disclosure, this is when the finder immediately publicly discloses that a vulnerability is present. This is often undesirable because the vulnerability can then be exploited by anyone, including malicious parties.
Non Disclosure or not disclosing the finding of the leak. So here, there is no public disclosure or notification to the organization that a leak is present. So this has the major disadvantage that the leak can therefore also not be fixed by the organization.
Responsible Disclosure is a good middle ground between the two; after finding the leak or vulnerability, a notification is made to the organization. With the vulnerability herein technically described. The organization in question then has the chance to fix and patch it. A Security.txt file can be of great help here, since it is immediately clear to the finder of the vulnerability where it can be reported.
Creating a Security.txt file
A security.txt file is easy to create by simply opening Notepad and putting in the information where to file your reports. Another and better way is to use a website such as https://securitytxt.org/. This is because the format of the file conforms best to the standards and the information is then best parsed by automated systems. This can easily help you generate the file. Then you can upload the created file into your hosting space . This can be done in the WWWROOT as well as in the folder well-known. So that this is always available.
By putting the file name after your regular domain name you can test if it works. The txt file should then come up. If it does not, you can check if the name is correct and if you have put the file in the right place. After all, it should be accessible from outside so that it can be found by both well-intentioned people and programs / crawlers.
Reasons for making a security.txt file active
A security.txt file can therefore make it easier for well-intentioned people to report if something is wrong with your website. Having a security.txt file available ensures that this is clear to people who are looking for it. Such a file makes people more likely to report a vulnerability. It can also provide the necessary information in the form of a reward, or bug bounty, as it is also called.
Another important reason to have a security.txt file is to allow ethical hackers to test your Web site for vulnerabilities. This may reveal more or more important issues than just a snapshot of an audit or penetration test.
If there is someone within your organization who has the responsibility to take care of these types of security issues, it is advisable to create a security.txt file. Chances are that you will receive quite a lot of notifications in this file; it is up to you to filter out what are authentic notifications and which should be handled with high priority. Not every notification will be equally high on the priority list. There will even be reports that have nothing to do with the security of your website.
Example of a security.txt
As an example for a security.txt, take a look at the security.txt as Google has it, it can be viewed at the following link:
And looks like this:
So you can see that there is a clear link to the information necessary for ethical hackers and it is also immediately clear what the policy for reporting is and what the possible reward is.
Is a security.txt file recommended for everyone?
So a security.txt can help make your Web site more secure. Especially somewhat larger companies or specialists will apply this to their Web site. The question is whether this is also interesting for an average hobby website maintained by a beginner and created with WordPress. Besides the standard updating of a plug-in or theme, there probably won't be the technical knowledge to be able to solve a deeper error message.
For companies that periodically have a pen test or security audit performed, such a file obviously does add something since the report can then be passed on to the party that handles security.
Would you like further guidance and have questions specifically answered for your company? Then take a look at our partner MijnSecurityPartner.nl. Here our specialists are ready for you!
