Issue with security.txt

Question

Issue with security.txt

Closed this issue a month ago · 3 comments

Hi,

Love this project as a whitehat hacker.

I uploaded a security.txt (blank file) on one of my domains to check if I get an alert, but it did not alert me. I then added some text to the file, so it's not 0kb, but also no alert.

Am I doing something wrong with testing or might this be a bug?

Keep up the good work.

p.s. I read it's possible to get an audio alert, how do i set this up?

Ray

Answer 1 · 2024-07-10T09:46:23.000Z

I don't think you understand what the extension is for.

The extension is for finding .git/.hg/.svn, not for finding security.txt.

Also, if you have an empty file or one with random data, the check will fail, as it must be a valid file to avoid false positives.

So in summary, you need a valid repository and a valid security.txt file to appear in the extension.

I don't think a whitehat hacker would have any problem reading a few lines of code in JavaScript and modifying it to their liking.

As for notifications, all you need to do is set the notification sound in your browser or OS settings.

Answer 2 · 2024-07-10T10:05:34.000Z

"Check if the site has security.txt" so it doesn't check that. Too bad.

Answer 3 · 2024-07-10T11:36:13.000Z

It only does this if the site has a vulnerability, otherwise why would it do it?