Identifying Security Risks with Security.txt

While listening to a recent episode of Security Now, Steve Gibson discussed that help is on the way for securing websites and services. I have not seen much mention of it anywhere else but I feel that it is definitely something worth noting.When it comes to identifying security risks in websites and services a major problem in the industry has been two-fold. First security researchers have been wary of testing the security of sites and services because of legal action that may be taken against them and second when and if they do test a site, and they discover a vulnerability in the site or service, there often lacks a way to properly disclose the vulnerability to the developers. Because of the lack of disclosure options, often the identified vulnerability goes unreported and therefore remains out in the wild providing the adversary with many avenues and vulnerabilities to attack. This is where a web developer and security researcher, Ed Foudil, and what he has submitted to the IETF, steps in to save the day.Mr. Foudil has graciously submitted to the IETF a draft that seeks to standardize Security.txt. According to securitytxt.org: "The main purpose of the security.txt file is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues."Security.txt is a simple text file, similar to a robot.txt file, located in the root directory of a website that defines a standard to help organizations define the process for security researchers to securely disclose security vulnerabilities that they have identified. Not only does this file provide you with the proper contact information but it also provides one with a secure way to transfer the information as outlined below taken from the draft IETF which can be read here.