Submitted via IRC for SoyCow5743
Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies.
The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers.
The distinction between security.txt and robots.txt is that security.txt will be used to communicate a company's security practices only, and is likely to be read by humans, rather than automated scanners.
For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue.
[...] This is when Foudil put together a first version of the security.txt specification that he later published on GitHub. Early feedback from the IT security industry convinced the researcher to go on.
"When x0rz [well-known security researcher] tweeted about my proposal I realized that this was something people really wanted and that it was time to start writing up an RFC draft," Foudil said.
[...] Right now, security.txt is at the status of Internet Draft, which is the first IETF regulatory step in a three-stage process that also includes RFC (Request For Comment) and official Internet Standards.
"Once security.txt becomes an RFC the focus will shift to spreading the word and encouraging companies to setup a security.txt file," Foudil told Bleeping Computer.
"Several bug bounty platforms have already offered to help out with this step and hopefully if some of the big companies have a security.txt this will set a good example that could convince others to follow suit."
Source: https://www.bleepingcomputer.com/news/security/security-txt-standard-proposed-similar-to-robots-txt/
(Score: 2) by maxwell demon on Friday September 22 2017, @06:22AM
Not possible, as anything other than an email address would violate the standard.
But you could set up an email address with an auto-responder that sends an email telling you (in a way machines cannot parse) how to actually contact the responsible person. That way, nobody will get to see the spam sent to that address (make sure that the reply doesn't quote the original mail, so that it is not abused as spam relay), while humans will get the information they need to contact you.
The Tao of math: The numbers you can count are not the real numbers.