security.txt: A Simple File with Big Value

We Keep you Connected

security.txt: A Simple File with Big Value

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (A locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
By Sandy Radesky, Associate Director, and Stephanie Kennelley
Our team at CISA often receives questions about why creation of a “security.txt” file was included as one of the priority Cybersecurity Performance Goals (CPGs). Why is it so important? Well, it’s such a simple concept, but it provides great value to all of those involved in vulnerability management and disclosure.
When security researchers and bug hunters uncover vulnerabilities in an organization’s ecosystem, how do they even know who to reach out to? Without clear reporting channels, researchers may be unable to quickly discern where to report vulnerabilities – meanwhile the organization remains vulnerable to attackers. However, there is an opportunity for all organizations to overcome this obstacle in line with CISA’s guidance through a simple text file – the security.txt file.
Earlier this year, CISA launched the Ransomware Vulnerability Warning Pilot (RVWP) program, which proactively discovers and notifies organizations of their exposure to internet-accessible vulnerabilities used in ransomware attacks. This is a proactive program used to enable organizations to take early mitigation measures before an incident occurs. Our current notification process can be hampered by the inability to find appropriate point of contact information for organizations. According to a recent study, only about a half of a percent of the world’s top one million websites publish a security.txt file. The lack of this simple file leads to multiple emails and phone calls to the organization, delaying the notification process and the organization’s awareness of the critical need to mitigate their risk to ransomware.
In an effort to accelerate the delivery of all notifications, CISA supports using the “security.txt” standard to streamline notifications and reduce the risk of compromise. It not only helps our work but also supports other partners that try to warn organizations of internet-accessible vulnerabilities susceptible to cyber threat actors – this is most important for organizations aligned to our most valuable critical infrastructure sectors.
For those that don’t already know, the security.txt is a proposed Internet standard, RFC 9116, which concisely advertises an entity’s vulnerability disclosure process. Like robots.txt, this machine-readable file resides on a public-facing webserver, either in the root or “well-known” directory, where security professionals and researchers can quickly identify the entity’s preferences for reporting vulnerabilities. Each domain and subdomain within an entity’s network should have its own security.txt file.
CISA’s security.txt file resides on our public-facing domain, at https://www.cisa.gov/security.txt (this will redirect, per our canonical):
Contact: mailto:ContactOCIO@cisa.dhs.gov
Expires:  2024-10-01T00:00:00.000Z
Encryption: https://www.cisa.gov/contact-us
Hiring: https://www.cisa.gov/careers
Generally, security.txt files should contain the following information:
Contact
How researchers should contact entities to report security vulnerabilities, such as email, phone number, or a web page. Entities should list contact methods by order of preference, with the first being most preferred.
Required
Expires
Date and time after which the data contained in the “security.txt” file is considered stale and should not be used.
Required
Encryption
Link to the entity’s public key (like OpenPGP) for researchers to encrypt communications with the entity.
Optional
Canonical
Canonical URIs where the “security.txt” file is located.
Example:

Canonical: https://www.cisa.gov/sites/default/files/security.txt
Optional
Acknowledgements
Link to a page where security researchers are recognized for their reports and collaboration.
Optional
Preferred-Languages
Comma-separated list of natural language in which researchers can submit reports to the entity. If the field is omitted, researchers should assume the preferred language is English. (Communication is key.)
Example (for English, Spanish, and French):
Preferred-Languages: en, es, fr
Optional
Policy
Link to the location of the entity’s vulnerability disclosure policy and reporting practices.
Optional
Hiring
Link to the entity’s security-related job positions.
Optional
CSAF
A link to the provider-metadata.json of your CSAF (Common Security Advisory Framework) provider. Remember to include “https://”. See the full description of CSAF
Optional

CISA recommends that all organizations adopt “security.txt” standards. As part of the larger cybersecurity community, you can help to advance the adoption of Cybersecurity Performance Goals (CPGs) and make every American’s critical infrastructure more resilient. A small contribution to add this simple file and ensure it stays updated will make a huge impact in not only improving your own organization’s security but also the national cybersecurity ecosystem!

source

TNC

LET US MANAGE YOUR SYSTEM
SO YOU CAN RUN YOUR BUSINESS

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE