Categories
Security

Security.txt in the wild

A few years ago, I covered here in the blog the “security.txt spec”. A standard place with the security related contacts, designed to help researchers, and other people, find the right contacts to report vulnerabilities and other problems.

At the time, I added it to my personal domain, as an example.

When I wrote the post, the spec was still fairly recent, so as expected it wasn’t widely adopted and only the more security conscious organizations did put it into place.

Since then, as part of my security work, I implemented it for several products, and the results were good. We received and triaged many reports that were sent to the correct addresses since day one.

Many people, who put the security.txt file in place, complain about the amount of low effort reports that are sent their way. I admit this situation is not ideal. However, I still think it is a net positive, and the problem can be minimized by having a good policy in place and a streamlined triage process.

While I always push for the implementation of this method on the products I work on, I have very little information about how widespread the adoption of this “spec” is.

The topic is very common in certain “hacker” forums, but when I talk to people, the impression I get is that this is an obscure thing.

The website, findsecuritycontacts.com, relies on security.txt to get its information. It also monitors the top 500 domains every day to generate some stats. The results are disappointing, only ~20% of those websites implement it correctly.

I remember reading reports that covered many more websites, but recently, I haven’t seen any. With a quick search, I was able to find this one.

It was written in 2022, so the results are clearly dated. On the bright side, the author published the tool he used to gather the data, which means we can quickly gather more recent data.

So, to kill my curiosity, I downloaded the tool, grabbed the up-to-date list of the top 1 million websites from tranco-list.eu, gathered the same data and with a few lines of python code I obtained the following results:

  • Total sites scanned: 999992
  • Sites with a valid file: 9312 (~0.93%)
  • Sites with an invalid file: 2189 (~0.22%)
  • Sites without a file: 988491 (~98.85%)
ContactPolicyHiringEncryptionExpiry
Sites with value92183674256426504960

The results are a bit underwhelming, I’m not sure if it is a flaw in the software, or if this is a clear picture of the reality.

On the other hand, if we compare with the results that the original author obtained, this is just about a 3-fold improvement during the period of 1 year and a half. Which is a good sign.

Next year, if I don’t forget, I will run the experiment again, to check the progress once more.