Some days ago while scrolling my mastodon‘s feed (for those who don’t know it is like Tweeter but instead of being a single website, the whole network is composed by many different entities that interact with each other), I found the following message:
To server admins:
One upcoming but already widespread format is the security.txt file at https://your-server/.well-known/security.txt.
See https://securitytxt.org/ and https://infosec-handbook.eu/.well-known/security.txt.@firstname.lastname@example.org
It caught my attention because my personal domain didn’t had one at the time. I’ve added it to other projects in the past, but do I need one for a personal domain?
After some thought, I couldn’t find any reason why I shouldn’t add one in this particular case. So as you might already have guessed, this post is about the steps I took to add it to my domain.
What is it?
A small text file, just like
robots.txt, placed in a well known location, containing details about procedures, contacts and other key information required for security professionals to properly disclose their findings.
Or in other words: Contact details in a text file.
security.txt isn’t yet an official standard (still a draft) but it addresses a common issue that security researches encounter during their day to day activity: sometimes it’s harder to report a problem than it is to find it. I always remember the case of a Portuguese citizen, who spent ~5 months trying to contact someone that could fix some serious vulnerabilities in a governmental website.
Even though it isn’t an accepted standard yet, it’s already being used in the wild:
Need more examples? A small search finds it for you very quickly or you can also read here a small analysis of the current status on Alexa’s top 1000 websites.
So to help the cause I added one for this domain. It can be found at https://ovalerio.net/.well-known/security.txt
Below are the steps I took:
- Go to https://securitytxt.org/ and fill the required fields of the form present on that website.
- Fill the extra fields if they apply.
- Generate the text document.
- Sign the content using your PGP key
gpg --clear-sign security.txt
- Publish the signed file on your domain under
As you can see, this is a very low effort task and it can generate very high returns, if it leads to a disclosure of a serious vulnerability that otherwise would have gone unreported.