Published 14_th of June 2018

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. Security.txt defines a standard to help organizations describe the process for security researchers to disclose security vulnerabilities securely. *

Security.txt is a proposed standard which allows website owners to define how to report security vulnerabilities. Security.txt is the equivalent of robots.txt, but for security issues.

.well-known directory under IIS

Security.txt is supposed to be under path /.well-known/security.txt

It is acceptable to have it in the root dir but it should redirect to well-known path.

Folder paths with “.” (dot) is not allowed in IIS. The reasoning behind it is that it might give away sensitive information, like a .git or .svn directory (which probably shouldn’t even be on your webserver in the first place).

ONE way around this is to make a handler:

namespace Gosso.Website
{
    using System.Web;
    public class SecurityTxtHandler : IHttpHandler
    {
        public bool IsReusable => true;

        public void ProcessRequest(HttpContext context)
        {
            if (context.Request.Path.ToLower() == "/security.txt") //redirect to /.well-known/
                context.Response.RedirectPermanent("/.well-known/security.txt", true);

            context.Response.ContentType = "text/plain";
            context.Response.WriteFile("~/security.txt"); //have a file in root dir
        }
    }
}

Register the handler in web.config:

<system.webServer> 
   <handlers>
      <add name="securitytxt1" path="*known/security.txt" verb="GET" type="Gosso.Website.SecurityTxtHandler" />
      <add name="securitytxt2" path="/security.txt" verb="GET" type="Gosso.Website.SecurityTxtHandler" />

Simple implementation in Episerver

Make it editable from the CMS. Things change and editors may want to change content without changing a file on the server.

Just make a textarea property on your startpage called “SecurityText” and then use this handler:

namespace Gosso.Website
{
    using System.Web;
    public class SecurityTxtHandler : IHttpHandler
    {
        public bool IsReusable => true;

        public void ProcessRequest(HttpContext context)
        {
            if (context.Request.Path.ToLower() == "/security.txt")
                context.Response.RedirectPermanent("/.well-known/security.txt", true);

            context.Response.ContentType = "text/plain";
            var startpage = ServiceLocator.Current.GetInstance<IContentLoader>().Get<PageData>(ContentReference.StartPage);
            if (startpage.Property.TryGetPropertyValue("SecurityText", out string txt))
            {
                context.Response.Write(txt);
            }
            else
            {
                context.Response.WriteFile("~/security.txt");
            }
        }
    }
}

Code is multisite proof

Content of the security.txt

Minimum example:

contact: https://www.example.com/contact/

With encryption key

contact: security@example.com
encryption: https://example.com/pgp-key.txt

Parameters

Contact can be an email or a link to a form
Encryption is public key that can be used to encrypt the report
Policy is link to your security policy and/or disclosure policy
Acknowledgment is for owners to give kudos to security reporters
Hiring is for security professional hiring openings
Signature is for path to .sig file, so you can sign the security.txt file

Who uses security.txt?

• https://www.facebook.com/.well-known/security.txt

Contact: https://www.facebook.com/whitehat/report/
Acknowledgments: https://www.facebook.com/whitehat/thanks/
Policy: https://www.facebook.com/whitehat/info/
Hiring: https://www.facebook.com/careers/teams/security/

• https://www.google.com/.well-known/security.txt

Contact: https://g.co/vulnz
Contact: mailto:security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgement: https://bughunter.withgoogle.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobs

• https://www.dropbox.com/.well-known/security.txt

# Dropbox uses HackerOne for responsible disclosure.
# Please report abusive content (including malware, spam, etc) to abuse@dropbox.com.
Contact: https://hackerone.com/dropbox/
Acknowledgements: https://hackerone.com/dropbox/thanks
Policy: https://hackerone.com/dropbox/
Hiring: https://www.dropbox.com/jobs/listing/815756

Resources

• https://securitytxt.org/
• * https://github.com/securitytxt/security-txt
• https://ma.ttias.be/well-known-directory-webservers-aka-rfc-5785/
• https://www.michalspacek.com/what-is-security.txt-and-why-you-should-have-one
• https://twitter.com/troyhunt/status/962063783223902208
• https://blog.yeswehack.com/2018/02/06/interview-of-edoverflow-bug-hunter-mastermind-of-security-txt/

SEO terms

• What is security.txt
• How implement security.txt on IIS windows server
• How to make a .well-known directory in IIS
• examples of security.txt

About the author

Luc Gosso
– Independent Senior Web Developer
working with Azure and Episerver

Twitter: @LucGosso
LinkedIn: www.linkedin.com/in/luc-gosso/
Github: http://github.com/lucgosso