Jiri GrönroosOct 25

How do #Finnish organizations instruct #security #vulnerability #disclosure using #securitytxt? Many organizations, such as CISA, and the French government, endorse the use of security.txt.

❌ = Not available
❕ = Available but flaws
✅ = Available and conforms #RFC9116

dvv.fi: ❌
eduskunta.fi: ❌
elisa.fi: ❕Missing date (RFC violation)
hel.fi: ❌
op.fi: ❌
puolustusvoimat.fi: ❌
kanta.fi: ❕Date against recommendation
suomi.fi: ❌
traficom.fi: ✅
yle.fi: ❕Date against recommendation

#Suomi #tietoturva

S3cN3tSysSep 7, 2025
#security.txt (#RFC9116)
In order to easily and quickly 1° identify whether a visited website publishes a security.txt file, 2° display it to retrieve the relevant information, here is a browser extension that should save you time:
Mozilla #Firefox : https://addons.mozilla.org/fr/firefox/addon/security-txt-file-detector/
Google #Chrome : https://chromewebstore.google.com/detail/securitytxt-file-detector/nnaaldofkakmddibiajkakimibmdjkhd
Microsoft #Edge : https://microsoftedge.microsoft.com/addons/detail/securitytxt-file-detecto/ojnbgonblbpaffknilnbpekfhohmafgh
security.txt file detector – Adoptez cette extension pour 🦊 Firefox (fr)

Télécharger security.txt file detector pour Firefox. Check if a website provides a security.txt file.

S3cN3tSysSep 7, 2025
#security.txt (#RFC9116)
Afin de facilement et rapidement 1° identifier si un site visité publie un fichier security.txt, 2° l'afficher pour en récupérer les informations pertinentes, voici une extension de navigateur qui devrait vous faire gagner du temps :
Mozilla #Firefox : https://addons.mozilla.org/fr/firefox/addon/security-txt-file-detector/
Google #Chrome : https://chromewebstore.google.com/detail/securitytxt-file-detector/nnaaldofkakmddibiajkakimibmdjkhd
Microsoft #Edge : https://microsoftedge.microsoft.com/addons/detail/securitytxt-file-detecto/ojnbgonblbpaffknilnbpekfhohmafgh
security.txt file detector – Adoptez cette extension pour 🦊 Firefox (fr)

Télécharger security.txt file detector pour Firefox. Check if a website provides a security.txt file.

Tim HergertJul 8, 2025

When a company doesn't adhere to RFCs 2142 or 9116, but you still tryna reach out.

A tale in two acts.

#BugBounty #BountyBegging #RFC2142 #RFC9116

LeeRaylAug 23, 2024

Friends of #InfoSec I would like for some help! I would like to see your security.txt’s!

I am working with a lot of really small companies that will benefit from a good security.txt and if any group of people has good ones I know its gonna be here!

I already use and share https://securitytxt.org/ as well as the RFC https://www.rfc-editor.org/rfc/rfc9116

If you are a PenTester/Researcher, you should get a say too! What do you want in a security.txt file? What other updates should small orgs be adding to help you help us?

#securitytxt #RFC9116

security.txt

A proposed standard that allows websites to define security policies.

security.txt
Show threadjkAug 8, 2024
@zerforschung "wir machen im rahmen eines recherche-projektes -in kooperation mit namenhaften medienorganisationen- eine umfrage zur umsetzung von #rfc9116 (insbes. punkt 2.5.3) bei unternehmen und hätten gern ihren input dazu…"
Show threadKevin Neely May 23, 2024
@ant0inet it'd be nice if more sites implemented #RFC9116, but also if more testers looked for them. I recently updated its with some nice ASCII art.
Clément Joly MOVEDMar 15, 2024

As a maintainer of open-source software, I want to provide ways to disclose vulnerabilities. I already have a SECURITY.md in all my repositories on GitHub. There is a copy of it on my website (https://cj.rs/open-source/docs/security/), because why website hosts homepages for my projects.

Today, I’ve added a security.txt file (https://securitytxt.org/) in the standard location: https://cj.rs/.well-known/security.txt

#RFC9116 #securitytxt

Security Policy

Guidelines to report a security issue

爪卂尺匚-卂ㄩ尺乇ㄥ乇Nov 2, 2023
Do you know you can publish a "security.txt" on your website to expose contact information and more to make it easier to report security vulnerabilities: https://datatracker.ietf.org/doc/rfc9116/
#security #ietf #rfc9116
RFC 9116: A File Format to Aid in Security Vulnerability Disclosure

When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.

IETF Datatracker
Show threadKevin Karhan Apr 27, 2023

@BNetzA Entweder ist man bei #Vodafone kriminell unfähig und/oder deren gesamte Infrastruktur samt Entstörhotline wurde gekapert.

Und selbstverständlich gibt's statt einer security.txt ( https://securitytxt.org/ , siehe auch #RFC9116: https://www.rfc-editor.org/rfc/rfc9116 ) oder 404-Fehlercode nen Web-Redirect.
https://www.vodafone.de/.well-known/security.txt

Kann mal wer von @bsi mal bei #Vodafone anklingeln?

Wäre peinlich wenn ich wie @Lilith nachher nen riesiges Problem finde...

security.txt

A proposed standard that allows websites to define security policies.

security.txt