RFC 9116: File Format to Aid in Security Vulnerability Disclosure
RFC 9116: File Format to Aid in Security Vulnerability Disclosure
In 2022, Foudil and Shafranovich published [here]:
Overall, it’s a very simple proposal, and where companies can post a file which defines where vulnerabilies can be reported to. An example defined in the RFC is:
# Our security address
Contact: [email protected]
# Our OpenPGP key
Encryption: https://example.com/pgp-key.txt
# Our security policy
Policy: https://example.com/security-policy.html
# Our security acknowledgments page
Acknowledgments: https://example.com/hall-of-fame.html
Expires: 2021-12-31T18:37:07zWe can see there is an email address, and a public key for secure communications. The file itself should be placed in the “/.well-known/” such sas for https://example.com/.well-known/security.txt.
The adoption is increasing, with Google being one of the first adapters [here]:
Contact: https://g.co/vulnz
Contact: security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgements: https://bughunters.google.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobsIn this Google provides their public key [here]:
Apple [here]:
Contact: https://security.apple.com
# Apple Security Updates
Acknowledgments: https://support.apple.com/HT201222
# Apple Web Server Security Acknowledgements
Acknowledgments: https://support.apple.com/HT201536
# Apple Security Bounty Guidelines
Policy: https://security.apple.com/bounty/guidelines/
Expires: 2030-01-01T09:00:00.000ZFacebook [here]:
Contact: https://www.facebook.com/whitehat/report/
Acknowledgments: https://www.facebook.com/whitehat/thanks/
Hiring: https://www.facebook.com/careers/teams/security/
# Found a bug? Our bug bounty policy:
Policy: https://www.facebook.com/whitehat/info/
# What we do when we find a bug in another product:
Policy: https://www.facebook.com/security/advisories/Vulnerability-Disclosure-Policy
Expires: Sat, 04 Mar 2023 12:45:14 -0800Amazon [here]:
Contact: https://hackerone.com/amazonvrp/reports/new
Hiring: https://www.amazon.jobs/en/teams/infosec
# Bug Bounty Policy:
Policy: https://hackerone.com/amazonvrp
# For vulnerabilities related to Amazon Web Services (AWS):
https://aws.amazon.com/security/vulnerability-reporting/Unfortunately, Microsoft and Netflix don’t yet support the file.
Conclusions
The examples from Google, Facebook, Apple and Amazon look a little simple just now, but at least a step forward. Overall, the RFC recommends that “security.txt” should have an OpenPGP cleartext signature, but known of the examples give above includes this. Google is the only one that provides a public key for signatures.