/security-txt

A "standard" that allows websites to define security policies.

Security.txt is a "standard" which allows websites to define security policies. This "standard" sets clear guidelines for security researchers on how to report security issues, and allows bug bounty programs to define a scope. Security.txt is the equivalent of robots.txt, but for security issues.

Website

https://securitytxt.org/ (https://github.com/securitytxt/securitytxt.org)

Security.txt GitHub Organization

https://github.com/securitytxt/

Internet draft

The Internet draft for security.txt can be found here: https://tools.ietf.org/html/draft-foudil-securitytxt-02.

Team


EdOverflow
💻 🚇 📖 🔒 🐛 🎨 👀 ✉️ 🕷
TomNomNom
💻 🚇 📖 👀
Joel Margolis
📖 👀
Jobert Abma
📖 🐛 👀 ✉️
GerbenJavado
📖
Justin Calmus
📖 ✉️
Casey Ellis
📖

Ryan Black
🚇 👀
Coen Hyde
Austin Heap
💻 🚇 📖 🔒 🐛 👀 ✉️ 🕷
Karel Origin
💻 🚇 🔒 🐛
Nightwatch Cybersecurity Research
📖 🐛 👀 ✉️

FAQ

What is the main purpose of security.txt?

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

Is security.txt supposed to replace bug bounty platforms?

No. Security.txt is supposed to accompany them.

Contributing

Contributions from the public are welcome.

Using the issue tracker 💡

The issue tracker is the preferred channel for bug reports and features requests. GitHub issues

Issues and labels 🏷

The bug tracker utilizes several labels to help organize and identify issues.

Guidelines for bug reports 🐛

Use the GitHub issue search — check if the issue has already been reported.

Donations

The security.txt project accepts donations via Liberapay. The money is used to pay bounties to individuals who report valid security vulnerabilities in the security.txt project.

Donate using Liberapay