More than two years ago, the Internet Engineering Task Force (IETF), an internet standards body, recommended that entities add a security.txt file for security vulnerability disclosures. However, only 4% of Fortune 500 companies have implemented the file so far.
Cybersecurity researchers often struggle to contact organizations when they uncover a vulnerability, so the community came up with a standard: to place a security.txt file on a website that contains human and machine-readable information for contacting the organization.
Back in 2019, the US Cybersecurity and Infrastructure Security Agency (CISA) even published a draft binding operational directive that would require all federal agencies to publish a security.txt file. After revisions, the security.txt remained a proposed standard of the directive but not a requirement.
CISA itself maintains the file to this day. Internet Engineering Steering Group (IESG) previously advocated for this standard, and IETF later published the RFC 9116 proposal to establish security.txt as a standard.
However, cybersecurity researcher and enthusiast Repa Martin has discovered that only 21 of the Fortune 500 companies have the file.
“From my experience, almost no organization operates this file. So I was curious... how many Fortune 500 companies do have it? They have budgets for proper security, right? Well… I checked all of them, and only 4% have security.txt file!” the researcher posted on X.
From my experience, almost no organisation operates this file. So I was curious... how many Fortune500 companies do have it? They have budgets for proper security, right? Well...
undefined Rozumbrada (@repa_martin) November 7, 2024
I checked all of them and only 4% have security.txt file! pic.twitter.com/VAEIxvLute
According to the proposed standard, the security.txt should be placed under the “/.well-known/” path, such as https://example.com/.well-known/security.txt.
It should contain contact information, such as email address, phone number, encryption keys, and other recommended fields, such as links to open security-related job positions, vulnerability disclosure policy, and others.
Here are some examples of similar files for Google, Microsoft, GitHub, or Meta.
Is it a big deal?
The Cybernews research team works with vulnerability disclosures almost every day and confirmed that researchers often look for contact information in the security.txt files.
“However, it is not common and usually isn't the first place where researchers look for information. Personally, I check sitemap.xml as it can often lead to clues where you can find vulnerability disclosure policy or information. Security.txt is not enforced and, therefore, often hard to find. The trend with Fortune 500 companies is probably even worse in general,” one of Cybernews researchers said.
The cybersecurity community on Reddit seems to agree that it’s not a deal-breaker – it is more important to have open reporting channels, which are often lacking.
“It's not a requirement for the NIST / SOC2/ ISO 27001 framework, and the standard (RFC 9116) is entirely voluntary. No surprise here,” one of the users posted.
“As a CERT, I don't care much about the bug bounty part of security.txt, but rather the contact details. So many times we learned a website/org has been breached and we need to contact them but with no luck,” another user added.
Security professionals said they would value the contact information and the convenience of the single sexurity.txt file. It makes it easier to reach out about potential security issues.
However, some also shared some insights on why some companies are hesitant: the so-called “beg bounties” for discovered minor or nonexistent issues and little value.
“I always love getting emails where I have a “security researcher” with a CRITICAL FINDING for my company, and the finding is something like “this domain is missing the X-Frame-Options header, feel free to send money to my PayPal,” one community member said.
Some users complained that security.txt rarely led to high-value reports. One user even dubbed RFC 9116 “the internet standard for spamming companies with no bug bounty program with beg bounties for no-value findings.”
“It’s not a serious way to encourage responsible disclosure, and it does open you up to risk because, in almost all cases, the reporter wants a bounty. If you don’t pay or ignore it, they could go public or sell the exploit before you have a chance to patch it,” another user noted.
Some were afraid that bug bounties might encourage hackers to attack them more often. Yet many cyber pros agreed that security.txt has good intentions and could be a useful tool for those who care about website security.
The low adoption rate and remaining skepticism suggest that security.txt still has a long way to go to become a widely accepted standard.
Your email address will not be published. Required fields are markedmarked