Security.txt is a security mechanism that allows your organization to provide its vulnerability disclosure policy and contact information in a standardized format and location. The file is designed to make it easier for ethical hackers, researchers, and other finders to reach your organization when they need to report a security vulnerability. Any website can set up a security.txt file in a few minutes, and it doesn’t require a full-fledged Vulnerability Disclosure Program (VDP) or bug bounty.
The idea was developed by two security researchers and is currently under consideration by the Internet Engineering Task Force (IETF). This collaborative group creates internet standards such as TCP/IP and SSL. While security.txt is not an official standard yet, it is already used by some of the world’s largest organizations, like Google, and is recommended by the UK government’s Ministry of Justice.
How Security.txt Helps Your Program
If your organization has an official VDP or bug bounty program, that information is likely already published in multiple places. HackerOne programs, for example, are easily found through search engines and listed in our directory. There may also be a dedicated security page on your website. So, what value does security.txt have if people can already find your program?
Security.txt is designed to be the authoritative source for your website’s vulnerability reporting information. Authoritative sources are commonly needed on the internet so that both users and machines can check one location for the most up-to-date information—the DNS system and robots.txt are similar examples of such sources. As an authoritative source, a security.txt file fulfills purposes that simply posting your information on your website can’t.
The choice to create a security.txt file tells third parties the information contained within is accurate and reliable. During urgent incidents where every minute counts, security.txt helps finders find the contact information they need quickly. Imagine an active security incident such as Log4Shell. Your organization wants to remove every possible barrier that might delay or discourage a vulnerability report.
Day-to-day, security.txt may also be the preferred way for some to find your contact information. Providing your information in a standardized location can even remove language barriers, eliminating the need for finders to translate a website or navigate unfamiliar layouts and design conventions.
Security.txt is also machine-readable, allowing security tools or APIs to retrieve your organization’s contact information automatically. These scenarios are impossible when every website shares this information without guidelines and uses a wide range of backend technology and designs.
Experts now recommend that every organization have a VDP. Some even require it. Security.txt files are a simple way to make your contact information available and help maximize the value of your program. It will be worth the set-up time if even one critical vulnerability report is made due to your security.txt file. To help our customers use security.txt, we automatically generate prepared files that can be copied and used as their own security.txt files.
How To Setup a Security.txt File
There are two steps to setting up a security.txt file for your website: create the file and publish it.
It is a .txt file with a few required and optional fields. The official security.txt website can automatically generate a file with your organization’s information. If needed, complete documentation of the fields and functions is available in the RFC document.
If your organization has a VDP or bug bounty program, the “Policy” field is the most important and should list your program’s URL. However, if your organization only runs a private program, provide an email in the “Contact” field that can accept public submissions and check the inbox regularly.
We automatically generate a security.txt file for all customers with a VDP or bug bounty. Add “.txt” to the end of any program page URL to see it. For example, HackerOne’s file is found at https://hackerone.com/security.txt. The file lists your program submission page, preferred languages, and acknowledgments page. These values are pulled directly from your account information to ensure accuracy.
With your security.txt file prepared, publish it at https://yourdomain.com/.well-known/security.txt. The IETF has designated the “./well-known” directory as the canonical location for important domain information. Now your work is done. An authoritative source for your organization’s vulnerability reporting and contact information is now live and available.
Don’t Have a Vulnerability Disclosure Program or Bug Bounty?
If someone finds a vulnerability on your website, would they be able to report it? Without a structured way to receive and respond to vulnerability reports, your organization likely has unknown and possibly severe vulnerabilities leaving your attack surface unprotected. Both VDPs and bug bounties allow third parties (in the case of VDPs) and hackers (in bug bounties) to report potential vulnerabilities. Submitted reports are tracked through the HackerOne dashboard, making it easy to investigate, confirm, and remediate vulnerabilities.
The primary difference between these programs is the incentive structure. VDPs do not incentivize finders, although finders receive thanks and, in some cases, swag like t-shirts or other giveaways. The incentive for VDP finders is to see vulnerabilities resolved. Hackers are incentivized to find bugs in a bug bounty program and are paid based on bug severity or confirmed vulnerabilities. This article explains our programs and how to choose the right one for your organization.
If your organization is large, we recommend a managed program that provides the tools and structure needed to act on reports at scale properly. But if your website is for personal use or your organization isn't ready for an official program yet, a great first step is to set up a dedicated security email address and a security.txt file.
Start a Program With HackerOne
HackerOne’s Attack Resistance Management Platform includes HackerOne Response (VDP) and HackerOne Bounty programs that can be scaled and customized to help any organization manage its vulnerabilities and protect its attack surface. Control submission volume with a private VDP program or go public for greater coverage. Private bug bounties are targeted at a smaller group of invite-only hackers with specific skillsets, while public programs elicit more reports. And use our triage service to filter out inaccurate and erroneous reports.
Increase your organization’s attack resistance with HackerOne. Contact us for more information on how to get started.