RFC 9116: File Format to Aid in Security Vulnerability Disclosure
In 2022, Foudil and Shafranovich published [here]:
Overall, it’s a very simple proposal, and where companies can post a file which defines where vulnerabilies can be reported to. An example defined in the RFC is:
# Our security address
# Our OpenPGP key
# Our security policy
# Our security acknowledgments page
We can see there is an email address, and a public key for secure communications. The file itself should be placed in the “/.well-known/” such sas for https://example.com/.well-known/security.txt.
The adoption is increasing, with Google being one of the first adapters [here]:
In this Google provides their public key [here]:
# Apple Security Updates
# Apple Web Server Security Acknowledgements
# Apple Security Bounty Guidelines
# Found a bug? Our bug bounty policy:
# What we do when we find a bug in another product:
Expires: Sat, 04 Mar 2023 12:45:14 -0800
# Bug Bounty Policy:
# For vulnerabilities related to Amazon Web Services (AWS):
Unfortunately, Microsoft and Netflix don’t yet support the file.
The examples from Google, Facebook, Apple and Amazon look a little simple just now, but at least a step forward. Overall, the RFC recommends that “security.txt” should have an OpenPGP cleartext signature, but known of the examples give above includes this. Google is the only one that provides a public key for signatures.