Submitted via IRC for SoyCow5743
Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies.
The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers.
The distinction between security.txt and robots.txt is that security.txt will be used to communicate a company's security practices only, and is likely to be read by humans, rather than automated scanners.
For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue.
[...] This is when Foudil put together a first version of the security.txt specification that he later published on GitHub. Early feedback from the IT security industry convinced the researcher to go on.
"When x0rz [well-known security researcher] tweeted about my proposal I realized that this was something people really wanted and that it was time to start writing up an RFC draft," Foudil said.
[...] Right now, security.txt is at the status of Internet Draft, which is the first IETF regulatory step in a three-stage process that also includes RFC (Request For Comment) and official Internet Standards.
"Once security.txt becomes an RFC the focus will shift to spreading the word and encouraging companies to setup a security.txt file," Foudil told Bleeping Computer.
"Several bug bounty platforms have already offered to help out with this step and hopefully if some of the big companies have a security.txt this will set a good example that could convince others to follow suit."
Source: https://www.bleepingcomputer.com/news/security/security-txt-standard-proposed-similar-to-robots-txt/
(Score: 2) by bradley13 on Thursday September 21 2017, @10:38AM (1 child)
This. I would have thought the technical contact on the domain registration should be the point of contact. For companies that are dumb enough to hide this, or put something useless there, that's their problem.
Everyone is somebody else's weirdo.
(Score: 4, Insightful) by fraxinus-tree on Thursday September 21 2017, @10:45AM
The bad thing is that in 2017 a security problem of some dumb entity is usually at least an annoyance to a lot more