Security.txt standard may help researchers report flaws

A security researcher has proposed a new internet standard whereby website owners would publish a security.txt file offering guidance on how to report and disclose vulnerabilties.

The draft proposal by Ed Foudil was published by the Network Working Group of the Internet Engineering Task Force (IETF).

Foudil believed a security.txt file could operate in a similar fashion to robots.txt, which guides web spiders when they index sites.

"When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them," Foudil noted.

"As a result, security issues may be left unreported. Security.txt defines a standard to help organisations define the process for security researchers to securely disclose security vulnerabilities."

Under the proposal, the security.txt file would be stored at the top level directory of companies' web servers, providing researchers with quick and easy access to the information they need to report vulnerabilities.

Initially, security.txt would contain only four directives.

Reseachers could use it to find an email address and phone number to use for reporting vulnerabilities in the file, along with a link to the Pretty Good Privacy (PGP) digital key to use for encrypted communications.

Companies could also specify the type of vulnerability disclosure policy they have: whether "full" for complete disclosure, partial, or "none" which specifies that no reports will be disclosed after the security issue has been reported.

The disclosure directive does not imply permission is automatically given to researchers to reveal vulnerabilites. Instead, researchers would need to seek permission whenever possible before making a disclosure.

Finally, an acknowledgement directive could be used to provide a link to a web page on which researchers were recognised and credited for their work.

Further directives could be added to security.txt as well. Foudil initially had several more options such as which type of vulnerabilties a company would accept reports on, but pared down the directives to just four for the inital draft.

A formal IETF Request for Comments (RFC) document is currently being prepared by Foudil for his security.txt proposal.