In this post, weâre going to talk about âsecurity.txtâ:
- what is it
- what are the benefits
- the downsides
- how you can easily create your own âsecurity.txtâ file
- how to make the best of it if youâre a pentester or bounty hunter
So if you wanna learn about âsecurity.txtâ, or you wanna know more about it, this post is for you.
Want to watch a video to supplement your reading? Check this out:
What exactly is a âsecurity.txtâ file?
It is a proposed standard that allows websites to define security policies and sets clear guidelines for security researchers on how to report security issues.
You can think of it as the equivalent of ârobots.txtâ or âads.txtâ, but for security issues.
And you may ask, but why do we need this in the first place?
This is a valid question.
Every year, security researchers identify thousands of new vulnerabilities and misconfigurations and they most of the time want to report them so the company or developer can fix them.
And here comes the fun part.
To report the problem you have to first find the right person to report it to.
You donât want to report security issues to sales or customer support because they wouldnât know what to do with them.
So having clear guidelines to where to report the issues is of tremendous help for pentesters, bounty hunters, and security researchers.
Even though this standard was first proposed in 2017, it is still in the final stages as an Internet draft.
However, it has already been adopted by major companies such as Google, Facebook, GitHub, LinkedIn, Dropbox, and is being recommended for use throughout U.S and U.K government agencies as well.
Letâs take Adobeâs âsecurity.txtâ file as an example:
Here we have all the things we need to properly report a security issue.
We know who to contact, their preferred languages, their security policy, the PGP or Pretty Good Privacy signature for secure communication, and so on.
So as you can see, having a âsecurity.txtâ file greatly simplifies the process of reporting a security vulnerability because you know who you need to report to and what guidelines you need to follow for your report to be valid.
The Structure
Now letâs have a look at the structure of this file.
First of all, letâs check out the URL.
We can see that the file is placed under the /.well-known
directory but it can also be placed at the root directory of a website or even in both locations at the same time.
Now letâs have a look at the contents.
The âsecurity.txtâ file is formatted as lines of key-value pairs separated by colons, where the key is a field name.
And there are currently 8 fields defined:
- Acknowledgments are links to a webpage where people can be recognized for their reports
- Canonical lists the canonical URI of the security.txt file and it can be useful when someone obtains the security.txt file through means other than directly accessing that location
- Contact is a required field that provides information on where to report vulnerabilities, such as an email address, a phone number, or a web page with contact information
You can have more than one Contact field if you need to. - Encryption locates an encryption key that should be used for secure communication when reporting security issues
- Expires is also a required field that indicates when the data in the file should be considered stale and no longer used.
The date can be as far in the future as you wish but itâs recommended to be less than a year into the future - Hiring are links to a webpage on security-related job positions at the organization
- Policy provides the location of the organizationâs vulnerability disclosure policy
- Preferred-Languages enumerates the languages that the organization would prefer used when submitting security reports
One more thing, the security.txt file should have an Internet Media Type of text/plain
and must be served over HTTPS.
Easily create your own âsecurity.txtâ file
Now that weâre familiar with the purpose and structure of the security.txt file, letâs see how we can easily create one for ourselves.
Of course, you can go ahead and right-click create a new file, add some content and call it a day, but if you want to adopt this proposed standard you should take into account its rules.
So to make this job easier, go to securitytxt.org and generate your own standard-compliant content.
There youâll find an easy-to-complete form with all the fields that are currently available.
When youâve finished completing the desired fields, press the generate button and then just copy and paste the content into your security.txt file.
Thatâs all!
Find targets for ethical hacking
Next up I want to show you a nice way to take advantage of the âsecurity.txtâ file if youâre doing bug bounties.
Go to your favorite search engine, mine happens to be Brave Search, and search for the following query:
"security.txt" filetype:txt
This is going to find all the websites that have the âsecurity.txtâ file.
So now you have many targets that a lot of people donât know about or that a lot of hackers donât focus their attention on.
I think this can be a nice addition to your hacking tools and I hope it will bring you great rewards.
Disadvantages of using âsecurity.txtâ
Now that weâve talked about the benefits of the âsecurity.txtâ file letâs turn the page and talk about its disadvantages.
Every downside Iâm gonna mention has already been described in the official documentation.
Okay so the first downside people complain about is the spam and useless reports they receive shortly after the âsecurity.txtâ file has been made public.
This is because there are a lot of script kiddies that are sending automated reports, most of them being close to useless and if you want to have a conversation with such people, youâll find that itâs just a waste of time because they have no idea how to help you fix a security issue.
So youâll probably end up hating yourself for adding the âsecurity.txtâ file.
But this shouldnât be the case because you can mitigate the spam by implementing e-mail filters which will reduce the number of spam e-mails youâre gonna receive.
Another downside would be that most people who see that you have a âsecurity.txtâ would assume that your organization is providing permission to do security testing against your services or products.
This might result in increased testing against your organizationâs infrastructure that can lead to certain problems.
But on the other hand, if you donât have a âsecurity.txtâ people would assume your organization doesnât accept security reports.
So to avoid confusion, make sure to add your companyâs vulnerability disclosure policy as mentioned earlier.
One last disadvantage Iâm gonna mention is compromised files and incident response.
An attacker that has compromised a website is able to compromise the âsecurity.txtâ file as well.
This can result in security reports not being received by the organization or even worse, they could be sent to the attacker instead.
To protect against this, you should use the Canonical
field to indicate the locations of the file, digitally sign the file and do a check-up on the file from time to time to detect tampering.
Conclusions
Thatâs all I had to say about the âsecurity.txtâ file.
If I missed something, please do let me know in the comments section and also let me know if you already have a âsecurity.txtâ for your website or if youâre going to create one in the future.
I hope the information Iâve shared in this post has helped you better understand what âsecurity.txtâ is and how we can use it to our advantage to report security issues.
And for the bug hunters out there, this file can make your job easier when it comes to finding potential targets to reap some juicy rewards.
Let me know what you think about this article in the comments section below.
If you find this article helpful, please share it with others and subscribe to the blog to support me, and receive a bi-monthly-ish e-mail notification on my latest articles.