How do security researchers and bug hunters determine whom to contact when they discover vulnerabilities within an organization's system? Without defined reporting channels, researchers may struggle to identify where to report these vulnerabilities, leaving the organization exposed to potential attacks. However, organizations can address this challenge by following CISA's guidance and implementing a straightforward solution: the security.txt file.
Security.txt is a proposed Internet standard, RFC 9116, which concisely advertises an entity’s vulnerability disclosure process.
Similar to robots.txt, the security.txt file is machine-readable and is typically located on a public-facing webserver, either in the root directory or the "well-known" directory. This file enables security professionals and researchers to promptly identify an organization's preferences for reporting vulnerabilities. It's important to note that each domain and subdomain within an organization's network should have its own security.txt file.
Generally, security.txt files contains below fields,
Mandatory fields:
Contact |
How researchers should contact entities to report security vulnerabilities, such as email, phone number, or a web page. Entities should list contact methods by order of preference, with the first being most preferred. |
Expires |
Date and time after which the data contained in the "security.txt" file is considered stale and should not be used. |
Optional fields:
Encryption |
Link to the entity's public key (like OpenPGP) for researchers to encrypt communications with the entity. |
Canonical |
Canonical URIs where the “security.txt” file is located. |
Acknowledgements |
Link to a page where security researchers are recognized for their reports and collaboration. |
Preferred-Languages |
Comma-separated list of natural language in which researchers can submit reports to the entity. If the field is omitted, researchers should assume the preferred language is English. (Communication is key.) Example (for English, Spanish, and French): Preferred-Languages: en, es, fr |
Policy |
Link to the location of the entity’s vulnerability disclosure policy and reporting practices. |
Hiring |
Link to the entity’s security-related job positions. |
CSAF |
A link to the provider-metadata.json of your CSAF (Common Security Advisory Framework) provider. Remember to include "https://". |
You can create a security.txt file in AEM’s content path and have rewrites to enable them.
Ensure you make it available through inline options
Path: /dispatcher-cloud/src/conf.d/rewrites/
File: rewrite.rules
## content-disposition rule for security.txt
<LocationMatch ".*/.well-known/security.txt$">
ForceType text/plain
Header set Content-Disposition inline
</LocationMatch>