Photo by Kevin Ku on Unsplash

RFC 9116: File Format to Aid in Security Vulnerability Disclosure

In 2022, Foudil and Shafranovich published [here]:

Overall, it’s a very simple proposal, and where companies can post a file which defines where vulnerabilies can be reported to. An example defined in the RFC is:

# Our security address
Contact: security@example.com

# Our OpenPGP key
Encryption: https://example.com/pgp-key.txt

# Our security policy
Policy: https://example.com/security-policy.html

# Our security acknowledgments page
Acknowledgments: https://example.com/hall-of-fame.html

Expires: 2021-12-31T18:37:07z

We can see there is an email address, and a public key for secure communications. The file itself should be placed in the “/.well-known/” such sas for https://example.com/.well-known/security.txt.

The adoption is increasing, with Google being one of the first adapters [here]:

Contact: https://g.co/vulnz
Contact: security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgements: https://bughunters.google.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobs

In this Google provides their public key [here]:

Apple [here]:

Contact: https://security.apple.com

# Apple Security Updates
Acknowledgments: https://support.apple.com/HT201222

# Apple Web Server Security Acknowledgements
Acknowledgments: https://support.apple.com/HT201536

# Apple Security Bounty Guidelines
Policy: https://security.apple.com/bounty/guidelines/

Expires: 2030-01-01T09:00:00.000Z

Facebook [here]:

Contact: https://www.facebook.com/whitehat/report/
Acknowledgments: https://www.facebook.com/whitehat/thanks/
Hiring: https://www.facebook.com/careers/teams/security/

# Found a bug? Our bug bounty policy:
Policy: https://www.facebook.com/whitehat/info/

# What we do when we find a bug in another product:
Policy: https://www.facebook.com/security/advisories/Vulnerability-Disclosure-Policy

Expires: Sat, 04 Mar 2023 12:45:14 -0800

Amazon [here]:

Contact: https://hackerone.com/amazonvrp/reports/new
Hiring: https://www.amazon.jobs/en/teams/infosec

# Bug Bounty Policy:
Policy: https://hackerone.com/amazonvrp

# For vulnerabilities related to Amazon Web Services (AWS):
https://aws.amazon.com/security/vulnerability-reporting/

Unfortunately, Microsoft and Netflix don’t yet support the file.

Conclusions

The examples from Google, Facebook, Apple and Amazon look a little simple just now, but at least a step forward. Overall, the RFC recommends that “security.txt” should have an OpenPGP cleartext signature, but known of the examples give above includes this. Google is the only one that provides a public key for signatures.