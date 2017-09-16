Security.txt Standard Proposed, Similar To Robots.txt (bleepingcomputer.com) 24
An anonymous reader writes: Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies. The file is akin to robots.txt, a standard used by websites to communicate and define policies for web and search engine crawlers...
For example, if a security researcher finds a security vulnerability on a website, he can access the site's security.txt file for information on how to contact the company and securely report the issue. According to the current security.txt IETF draft, website owners would be able to create security.txt files that look like this:
#This is a comment
Contact: security@example.com
Contact: +1-201-555-0123
Contact: https://example.com/security
Encryption: https://example.com/pgp-key.tx...
Acknowledgement: https://example.com/acknowledg...
Disclosure: Full
HTML? (Score:1)
There's going to be <a href>> tags in security.txt? No? Then don't make the links clickable in the fucking summary.
+1 (Score:2)
Hell, I'll be implementing that Monday morning for a couple servers, screw waiting for the standard.
Spam! (Score:4, Insightful)
Yay! Zillions of more juicy Email addresses and phone numbers to collect and spam! Robots will sweep up all that data and hammer the "contacts" to death.
Couldn't agree more ! This was exactly what I was thinking : the security contact address will be spammed so hard that it'll be hard to find the mails that should get through.
Rewolve? (Score:2)
...who should be competent enough to get the information to a qualified person to rewolve the issue.
Thanks for mentioning that. I totally missed the lycantrhopy part.
Here's my guess... (Score:3)
P3P redux (Score:3)
It's almost like https://www.w3.org/P3P/ wasn't already a thing that died with a whimper 10 years ago. On the other hand, an almost syntax-free text-file might gain some more traction, even if I fail to see how that's actually useful over some "About" or "Contact" link on the website menu.
Example (Score:2)
Non problem (Score:3)
This is not a solution to any real problem.
The problem is companies that don't want to hear about vulnerabilities. Those companies are unlikely to put up security.txt entries.
"None so deaf as those that will not hear. None so blind as those that will not see." Matthew Henry.