momoMay 16

On security.txt:

I understand that staleness may exist in companies and a security contact should be reachable. but why is the solution an EXPIRES field that has to be updated once a year?

- https://datatracker.ietf.org/doc/html/rfc9116#name-expires

People will just automate the task of changing the date of the EXPIRES field instead of changing the contact in their aliases file.

It does not change anything if the date did not expire but nobody is reading [email protected].

#rfc9116 #rfc #ietf #standards

RFC 9116: A File Format to Aid in Security Vulnerability Disclosure

When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.

IETF Datatracker
Jiri GrönroosOct 25, 2025

How do #Finnish organizations instruct #security #vulnerability #disclosure using #securitytxt? Many organizations, such as CISA, and the French government, endorse the use of security.txt.

❌ = Not available
❕ = Available but flaws
✅ = Available and conforms #RFC9116

dvv.fi: ❌
eduskunta.fi: ❌
elisa.fi: ❕Missing date (RFC violation)
hel.fi: ❌
op.fi: ❌
puolustusvoimat.fi: ❌
kanta.fi: ❕Date against recommendation
suomi.fi: ❌
traficom.fi: ✅
yle.fi: ❕Date against recommendation

#Suomi #tietoturva

S3cN3tSysSep 7, 2025
#security.txt (#RFC9116)
In order to easily and quickly 1° identify whether a visited website publishes a security.txt file, 2° display it to retrieve the relevant information, here is a browser extension that should save you time:
Mozilla #Firefox : https://addons.mozilla.org/fr/firefox/addon/security-txt-file-detector/
Google #Chrome : https://chromewebstore.google.com/detail/securitytxt-file-detector/nnaaldofkakmddibiajkakimibmdjkhd
Microsoft #Edge : https://microsoftedge.microsoft.com/addons/detail/securitytxt-file-detecto/ojnbgonblbpaffknilnbpekfhohmafgh
security.txt file detector – Adoptez cette extension pour 🦊 Firefox (fr)

Télécharger security.txt file detector pour Firefox. Check if a website provides a security.txt file.

S3cN3tSysSep 7, 2025
#security.txt (#RFC9116)
Afin de facilement et rapidement 1° identifier si un site visité publie un fichier security.txt, 2° l'afficher pour en récupérer les informations pertinentes, voici une extension de navigateur qui devrait vous faire gagner du temps :
Mozilla #Firefox : https://addons.mozilla.org/fr/firefox/addon/security-txt-file-detector/
Google #Chrome : https://chromewebstore.google.com/detail/securitytxt-file-detector/nnaaldofkakmddibiajkakimibmdjkhd
Microsoft #Edge : https://microsoftedge.microsoft.com/addons/detail/securitytxt-file-detecto/ojnbgonblbpaffknilnbpekfhohmafgh
security.txt file detector – Adoptez cette extension pour 🦊 Firefox (fr)

Télécharger security.txt file detector pour Firefox. Check if a website provides a security.txt file.

Tim HergertJul 8, 2025

When a company doesn't adhere to RFCs 2142 or 9116, but you still tryna reach out.

A tale in two acts.

#BugBounty #BountyBegging #RFC2142 #RFC9116

LeeRaylAug 23, 2024

Friends of #InfoSec I would like for some help! I would like to see your security.txt’s!

I am working with a lot of really small companies that will benefit from a good security.txt and if any group of people has good ones I know its gonna be here!

I already use and share https://securitytxt.org/ as well as the RFC https://www.rfc-editor.org/rfc/rfc9116

If you are a PenTester/Researcher, you should get a say too! What do you want in a security.txt file? What other updates should small orgs be adding to help you help us?

#securitytxt #RFC9116

security.txt

A proposed standard that allows websites to define security policies.

security.txt
Show threadjkAug 8, 2024
@zerforschung "wir machen im rahmen eines recherche-projektes -in kooperation mit namenhaften medienorganisationen- eine umfrage zur umsetzung von #rfc9116 (insbes. punkt 2.5.3) bei unternehmen und hätten gern ihren input dazu…"
Clément Joly MOVEDMar 15, 2024

As a maintainer of open-source software, I want to provide ways to disclose vulnerabilities. I already have a SECURITY.md in all my repositories on GitHub. There is a copy of it on my website (https://cj.rs/open-source/docs/security/), because why website hosts homepages for my projects.

Today, I’ve added a security.txt file (https://securitytxt.org/) in the standard location: https://cj.rs/.well-known/security.txt

#RFC9116 #securitytxt

Security Policy

Guidelines to report a security issue

爪卂尺匚-卂ㄩ尺乇ㄥ乇Nov 2, 2023
Do you know you can publish a "security.txt" on your website to expose contact information and more to make it easier to report security vulnerabilities: https://datatracker.ietf.org/doc/rfc9116/
#security #ietf #rfc9116
RFC 9116: A File Format to Aid in Security Vulnerability Disclosure

When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities.

IETF Datatracker
Show threadKevin Karhan Apr 27, 2023

@BNetzA Entweder ist man bei #Vodafone kriminell unfähig und/oder deren gesamte Infrastruktur samt Entstörhotline wurde gekapert.

Und selbstverständlich gibt's statt einer security.txt ( https://securitytxt.org/ , siehe auch #RFC9116: https://www.rfc-editor.org/rfc/rfc9116 ) oder 404-Fehlercode nen Web-Redirect.
https://www.vodafone.de/.well-known/security.txt

Kann mal wer von @bsi mal bei #Vodafone anklingeln?

Wäre peinlich wenn ich wie @Lilith nachher nen riesiges Problem finde...

security.txt

A proposed standard that allows websites to define security policies.

security.txt