September 19, 2017 By Douglas Bonderud 2 min read

Web security solutions lack standardization for reporting vulnerabilities. Security researcher Ed Foudil recently submitted a draft to the Internet Engineeing Task Force (IETF) that suggested creating a standardized security.txt file on every website that details the site’s security policy and provides contact information to report new vulnerabilities.

The Dangers of Delayed Response

Right now, many companies fail to respond in a timely manner when they discover vulnerabilities. As noted by IT Wire, security firm Embedi discovered multiple flaws in D-Link routers and reported them all to the company. Despite months of back and forth, Embedi said only one of the vulnerabilities was patched.

The firm also contacted the Community Emergency Response Team (CERT) and was told to use D-Link’s official reporting channels. In August, the security firm released exploit code for all three vulnerabilities since there was no evidence of further patch progress.

This isn’t the ideal route for security professionals and security firms. They would prefer to work with developers, create a patch and then release code into the wild, especially since cybercriminals start working on new attack variations within hours after any new weakness is made public.

Lacking standardization, white-hat hackers are forced to wait on corporate responses. Often there is no viable way to contact organizations directly, leaving researchers with the difficult choice of keeping quiet and hoping no one else notices the issue or speaking up to compel change, risking exploitation by malicious actors.

A New Standard for Reporting Vulnerabilities

As noted by Bleeping Computer, Foudil got his idea after attending DEF CON this year. He modeled his new security.txt after robots.txt, which is used by web search spiders when they index sites. Standardization of robots.txt has significantly improved the efficiency of this indexing, and Foudil imagined something similar for the security.txt protocol. In his version, however, the file is kept on the top level of company web servers and read by human beings.

The current draft supports four directives: contact, encryption, disclosure and acknowledgment, which would give security researchers the information they need to make contact and start the process of remediating code flaws. So far, security.txt has been met with support from HackerOne, Bugcrowd and Google. If widely adopted, the new .txt file could also be expanded to include directives such as rate-limit, platform, reward, donate and disallow, providing even more specific direction to security firms and researchers.

While it’s still in the draft stage, there’s a growing need for security.txt and similar standardized security solutions. Haphazard communication, feedback and application patching won’t work in a tech landscape characterized by cybercriminals able to pounce on vulnerabilities within hours and companies willing to discount potential defense disasters until it’s too late. By creating a simple, standardized format, corporations can provide a direct line for feedback, fraudsters are left out of the loop and security experts can do what they do best: discover and report critical code vulnerabilities.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today