Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday September 21 2017, @09:41AM   Printer-friendly
from the next-up-is-spammers.txt dept.

Submitted via IRC for SoyCow5743

Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies.

The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers.

The distinction between security.txt and robots.txt is that security.txt will be used to communicate a company's security practices only, and is likely to be read by humans, rather than automated scanners.

For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue.

[...] This is when Foudil put together a first version of the security.txt specification that he later published on GitHub. Early feedback from the IT security industry convinced the researcher to go on.

"When x0rz [well-known security researcher] tweeted about my proposal I realized that this was something people really wanted and that it was time to start writing up an RFC draft," Foudil said.

[...] Right now, security.txt is at the status of Internet Draft, which is the first IETF regulatory step in a three-stage process that also includes RFC (Request For Comment) and official Internet Standards.

"Once security.txt becomes an RFC the focus will shift to spreading the word and encouraging companies to setup a security.txt file," Foudil told Bleeping Computer.

"Several bug bounty platforms have already offered to help out with this step and hopefully if some of the big companies have a security.txt this will set a good example that could convince others to follow suit."

Source: https://www.bleepingcomputer.com/news/security/security-txt-standard-proposed-similar-to-robots-txt/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by FakeBeldin on Thursday September 21 2017, @10:59AM (4 children)

    by FakeBeldin (3360) on Thursday September 21 2017, @10:59AM (#571095) Journal

    I was working on a project where (in the first stage) we identified a security flaw and tried to disclose it to the companies.
    www@, abuse@, hostmaster@, whois info, checking the website for contact details....

    For more than one site, I had to resort to using a contact form - which was either ignored or ended up with some equivalent of a customer service representative, who of course is not at all trained to handle questions of the "hi, I broke your website and would like to explain how I did (for free) so you can fix it" sort. If I remember correctly, out of the over a dozen websites contacted, I only reached a knowledgeable person 2 or 3 times, one of which was after multiple indirections (in which I was every time being very careful with wording things precisely, so as to escalate towards a techy, not a lawyer).

    Draining experience. Security.txt would be a godsend.
    Sure, not everyone will have it, but at least those who are serious about security will. And then it's vastly easier to use the right process of contacting the folks responsible in the correct fashion. For the rest, I'd do a best-effort like I did now, but this time I would expect little response and general ignorance -- otherwise there would have been a security.txt.

    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 4, Insightful) by anubi on Thursday September 21 2017, @12:01PM (2 children)

    by anubi (2828) on Thursday September 21 2017, @12:01PM (#571108) Journal

    Its been my experience that once a business has grown large enough to executize the management layer, they are quite apt to lose contact with their foundation.

    The executive layer functions much like a banana peel between the floor ( customer ) and the shoe ( investors ).

    Here's another! [nytimes.com]

    I have seen this kind of thing happen at several companies which were bought out by other companies, where the people who knew what was going on weren't deemed important enough to keep, as the new management had their own ways of doing things.

    Many people seem to find impressive presentations have a lot more impact than knowing what they are doing. Actually, knowing what you are doing is only apt to get one labeled as a perfectionist, sneered at, then replaced.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    • (Score: 0) by Anonymous Coward on Thursday September 21 2017, @12:07PM

      by Anonymous Coward on Thursday September 21 2017, @12:07PM (#571113)

      Now, you know why the words "Hold Harmless" are in such wide use in corporate communications.

    • (Score: 1, Redundant) by DannyB on Thursday September 21 2017, @01:56PM

      by DannyB (5839) Subscriber Badge on Thursday September 21 2017, @01:56PM (#571146) Journal

      In such a large organization, it is futile to try contacting www@, abuse@, hostmaster@, etc.

      Instead try ineptitude@, incompetence@, ignorance@, malice@, cya@ or lawyers@.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 2, Informative) by Anonymous Coward on Thursday September 21 2017, @12:44PM

    by Anonymous Coward on Thursday September 21 2017, @12:44PM (#571122)

    SECURITY@ is a well-known mailbox. It's defined in RFC 2142, the same one that defines ABUSE@ and POSTMASTER@.