Security.txt is a "standard" which allows websites to define security policies. This "standard" sets clear guidelines for security researchers on how to report security issues, and allows bug bounty programs to define a scope. Security.txt is the equivalent of robots.txt
, but for security issues.
https://securitytxt.org/ (https://github.com/securitytxt/securitytxt.org)
https://github.com/securitytxt/
The Internet draft for security.txt can be found here: https://tools.ietf.org/html/draft-foudil-securitytxt-02.
What is the main purpose of security.txt
?
The main purpose of security.txt
is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt
, security researchers can easily get in touch with companies about security issues.
Is security.txt
supposed to replace bug bounty platforms?
No. Security.txt is supposed to accompany them.
Contributions from the public are welcome.
The issue tracker is the preferred channel for bug reports and features requests.
The bug tracker utilizes several labels to help organize and identify issues.
Use the GitHub issue search — check if the issue has already been reported.
The security.txt project accepts donations via Liberapay. The money is used to pay bounties to individuals who report valid security vulnerabilities in the security.txt project.