security.txt: Standardised contact information for IT security disclosures

Gaps in IT security are a problem of our digital, networked world. They are usually a result of design and programming errors and can be a threat to a wide range of different systems: sometimes a webcam can be hacked, and sometimes login data is exposed, with some attackers even gaining access to machine control systems.

When security researchers or government agencies identify a critical security problem in a product or in the network of a company, the relevant information must quickly be passed on to the responsible IT professionals. However, experience has shown that website forms and general contact data on sub-pages are unsuitable for this purpose. Important information often needs to be passed on through complex processes and is sometimes even lost completely. Furthermore, any security researcher who wishes to report a vulnerability does not know whether their communications need to be encrypted (and if so, how) and has no information about any further agreements that may apply.

However, the most crucial factor is: How do I know if my warning is even welcome? Could identifying a vulnerability in a company’s IT infrastructure result in me being viewed with suspicion? Due to legal grey areas (in Germany, for example, the "hacker paragraph", clause 202c of the German Penal Code [StGB]), security researchers have to fear the possibility of being charged with a crime and facing severe penalties. Time and again, dedicated professionals that make operating companies aware of a problem are reported to the authorities.

It is important to remember that the well-intentioned, responsible disclosure of identified security vulnerabilities is an important part of ensuring a secure IT infrastructure. A practical solution to this is provided in the form of an international technical specification that allows all parties involved to engage in a trustworthy exchange of information:

To achieve this, a simple text file with the fixed name security.txt is used to store contact information and information about encryption in a specified format. This file is then uploaded to the web server in the .well-known/ directory below the root directory. The text file is then available for everyone over HTTPS using the URL with the following scheme:

https://www.example.com/.well-known/security.txt

This location is known by all security researchers around the world, which is why this specification is already used by many companies, such as the German Social Accident Insurance (DGUV):

https://www.dguv.de/.well-known/security.txt

The definition of the technical specification is available free of charge online as a Request for Comments (RFC) (RFC 9116). However, this process also offers even more advantages for both sides: Anyone who uncovers a serious security vulnerability will be mentioned under the “Acknowledgements” field and may even receive a financial reward for their information. Under the “Hiring” field, companies list attractive job roles for security professionals and find qualified young professionals.

According to a new draft regulation that will be published in the near future, manufacturers of digital products will be required to provide an easily reachable contact and may face heavy fines if they fail to do so. The security.txt specification puts companies in a much better position in this context too.

If you would also like to use the security.txt specification for your company, you can find a simple generator at https://securitytxt.org/ that will help you to create the file.

The technical specification recommends setting the file validity period to a maximum of one year. All technical details and the complete definition of the technical specification can be found in RFC 9116 from the Internet Engineering Task Force (IETF).