Hey Devs!
While working on open-sourcing our product, I came across security.txt. Here is a brief introduction.
- Overview of security.txt
- Format of security.txt
- ROUTE06, Inc.'s security.txt file template
- ROUTE06, Inc.'s example
- Conclusion
- Appendix: Examples from Other Companies
Overview of security.txt
security.txt is a standardized text file that provides security-related information for websites. Defined in RFC 9116 published in April 2022, it is placed under /.well-known/security.txt on a website.
By implementing security.txt, you can enjoy the following benefits:
- Security researchers and ethical hackers can easily find contact details and guidelines to report security issues on your website
- Organizations can efficiently receive and address reports of security vulnerabilities
Without security.txt or clear contact information, discovered security issues might go unreported.
Format of security.txt
You can include up to eight types of fields in the file.
# Required
Contact: # URL or email address for reporting. If multiple, list Contact fields in order of priority.
Expires: # Expiration date and time. To prevent `security.txt` from becoming outdated, an expiry date within a year is recommended.
# Optional
Preferred-Languages: # Supported languages, multiple allowed.
Policy: # URL of the security policy page.
Acknowledgements: # URL of the page acknowledging past reporters.
Hiring: # URL for security-related job openings.
Canonical: # URL of this `security.txt`.
Encryption: # Location of encryption keys, such as PGP keys, for secure communication.
Here is an example. You can also generate one at https://securitytxt.org/.
# Required
Contact: mailto:security@example.com
Expires: 2025-11-30T23:59:59Z
# Optional
Preferred-Languages: en, ja
Policy: https://example.com/security-policy.html
Acknowledgements: https://example.com/hall-of-fame.html
Hiring: https://example.com/security-jobs.html
Canonical: https://example.com/.well-known/security.txt
Encryption: https://example.com/pgp-key.txt
ROUTE06, Inc.'s security.txt file template
At ROUTE06, Inc., we use the following template for security.txt files:
Contact: # Provide the security contact email in mailto: format.
Expires: # Specify a date within one year and update regularly.
Preferred-Languages: en, ja
Policy: # Specify the URL of https://github.com/{org}/{repo}/security/policy or the security policy page.
Canonical: # Specify the URL of this security.txt.
💡 To prevent forgetting to update the Expires field or other fields, we use route06/actions/.github/workflows/create_gh_issue.yml to automatically create update issues periodically.
- Example update issue: [Action Required] Update security.txt - 2024/12 Maintenance · Issue #146 · giselles-ai/giselle
ROUTE06, Inc.'s example
Here is an example from our service, Giselle:
💡 Giselle is a SaaS platform that enables no-code creation of agents and workflows leveraging generative AI. Visit the service site at https://giselles.ai/ for more details. The OSS repository is also available at giselles-ai/giselle.
Conclusion
Since security.txt is just a text file, it is easy to create, and serves as a reliable point of contact for vulnerability reporters.
Appendix: Examples from Other Companies
Supabase
The security.txt file for https://supabase.com doubles as a GitHub SECURITY.md.
- https://supabase.com/.well-known/security.txt is available
- The SECURITY.md in the supabase/supabase repository is a symbolic link to apps/docs/public/.well-known/security.txt
- apps/docs/public/.well-known/security.txt is deployed as https://supabase.com/.well-known/security.txt
- Since SECURITY.md is committed in the repository, it is also accessible from the Security tab
Top comments (0)