More and New Web Standards - security.txt

The Internet is constantly evolving and it can be hard to keep up. Therefore, I believe it is important that any news about new standards needs to be shared and discussed as widely as possible.

Earlier this year, the new RFC 9116 was published, explaining how the security.txt file works.

TL;DR - The security.txt file is a plain text file published on your web site in a well known location where security researchers can find information on how to contact you when they discover some security issue they want you to know about.

But why?

Well, security researchers use a variety of tools and techniques to test web sites for vulnerabilities. In general, researchers have to choose a sample which often includes various public web sites. Security research could be seen as a form of White Hat Hacking, but the exact legal interpretations may be very different from country to country. Be that as it may, these security researchers may in the course of their research discover a particular site has a vulnerability.

The normal procedure when a vulnerability is discovered, is to contact the site owner and notify them. However, standards on the process to follow is far from mature. Previously, RFC's like RFC 2142 attempted to address this by promoting common or well known e-mail addresses you could use to contact site owners for specific topics. For the purpose of disclosing vulnerabilities, the security mailbox should be used, but since RFC's are not enforceable there are many web sites that do not have a security mailbox.

In cases where security researches could not reach a site owner via the security mailbox, they would normally have to spend a lot of time trying to find an appropriate contact method.

Now, some site owners may feel that a security researcher that have discovered a vulnerability may indeed have been "hacking" their site without their consent. This is a legal matter which I am not an expert on, but in general I believe that active hacking attempts on a web site without consent is a recipe for a legal disaster.

However, sometimes even normal IT professionals together with security researchers may stumble on a security issue - after all, the web site in question here is in the public domain, so everything about the site can be seen - warts and all. In these cases, I think it's perfectly acceptable for the site owners to be notified. In fact, I would argue that it is much better for a site owner to get such a notification from a responsible person rather than finding out when really bad actors exploit such a vulnerability.

So what about this site?

Well, I have followed the instructions, after stumbling on the Dutch information security site about security.txt.

For this blog site, you can view the file at:

Afterwards, and in general, it's also a good idea to validate your site with a tool like - this site can run some basic tests on any website and produces a brief report. Again, site owners don't need to give consent, as this site merely reports on publicly available information, which the site owners have decided to put in the public domain. It really is a helpful tool and I will also try to achieve better scores for my own site(s) in the future.


Below is a short video explaining security.txt from the inventor:


internet, security, infosec, standards