SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow5743
Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies.
The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers.
The distinction between security.txt and robots.txt is that security.txt will be used to communicate a company's security practices only, and is likely to be read by humans, rather than automated scanners.
For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue.
[...] This is when Foudil put together a first version of the security.txt specification that he later published on GitHub. Early feedback from the IT security industry convinced the researcher to go on.
"When x0rz [well-known security researcher] tweeted about my proposal I realized that this was something people really wanted and that it was time to start writing up an RFC draft," Foudil said.
[...] Right now, security.txt is at the status of Internet Draft, which is the first IETF regulatory step in a three-stage process that also includes RFC (Request For Comment) and official Internet Standards.
"Once security.txt becomes an RFC the focus will shift to spreading the word and encouraging companies to setup a security.txt file," Foudil told Bleeping Computer.
"Several bug bounty platforms have already offered to help out with this step and hopefully if some of the big companies have a security.txt this will set a good example that could convince others to follow suit."
Source: https://www.bleepingcomputer.com/news/security/security-txt-standard-proposed-similar-to-robots-txt/
(Score: 5, Insightful) by ewk on Thursday September 21 2017, @10:11AM (3 children)
except for the email-address of the security-contact that will be (ab)used for spamming and spearphising :-)
I don't always react, but when I do, I do it on SoylentNews
(Score: 2) by looorg on Thursday September 21 2017, @03:04PM (2 children)
This is what I would be most concerned about. Public email addresses like this, or the one publicly showing in domain registrar and similar, tend to be the once that get all the phishing, scamming and spamming. So they'll just resort to putting down some generic catch-all contact information there that possibly eventually pipes into something a real person might read. That or you just put your honeypot contact info there to train your various filters. Which is all fine and dandy until that ONE day someone finds something bad and tries to contact you and you don't answer in time and shit hits the digital fan and afterwards they find out there was warning but you didn't notice and now you are to blame for it all. So I guess they'll put some kind of underpaid, and eventual disgruntle, intern to just manage that one email address.
(Score: 1) by terrab0t on Thursday September 21 2017, @07:06PM (1 child)
I would list the address of an online contact form with a good captcha.
(Score: 2) by maxwell demon on Friday September 22 2017, @06:22AM
Not possible, as anything other than an email address would violate the standard.
But you could set up an email address with an auto-responder that sends an email telling you (in a way machines cannot parse) how to actually contact the responsible person. That way, nobody will get to see the spam sent to that address (make sure that the reply doesn't quote the original mail, so that it is not abused as spam relay), while humans will get the information they need to contact you.
The Tao of math: The numbers you can count are not the real numbers.