What is a security.txt file?

A security.txt file on your website helps security researchers report security vulnerabilities.

• Full disclosure … I hadn’t run across security.txt as being “a thing” before this week.
• A security.txt file on your site lets you provide contact information for how you want to receive reports from security researchers.
• Consider if you would like to provide an email or a web form. A secure web form is probably a better choice.
• Brian Krebs has reported that spam “security reports” go up with a security.txt file.

I am not convinced everyone needs to have a security.txt file in place. If you have only a static web page, the cost of using email and wading through spam reports would be higher than any benefits.

I do think companies with bug bounty programs should have one in place to direct researchers to their bug bounty site.

Site where I originally learned about security.txt files:

• Advocating security.txt across UK government

Site to help you create a security.txt file:

• securitytxt.org

Brian Krebs’ article on security.txt files:

• Does Your Organization Have a Security.txt File?