-
-
Notifications
You must be signed in to change notification settings - Fork 35
/
index.html
284 lines (273 loc) · 14.3 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
---
layout: default
index: true
active: 1
directive_tags:
Required: is-danger
Optional: is-success
Only 1 allowed: is-info
directives:
-
name: Contact
id: contact
tags: ['Required']
help: >
A link or e-mail address for people to contact you about security issues. Remember to include "https://"
for URLs, and "mailto:" for e-mails.
placeholder: mailto:[email protected]
spec: 3
-
name: Expires
id: expires
tags: ['Required', 'Only 1 allowed']
help: >
The date and time when the content of the security.txt file should be considered stale (so security
researchers should then not trust it). Make sure you update this value periodically and keep your
file under review.
input: datetime
spec: 5
-
name: Encryption
id: encryption
tags: ['Optional']
help: A link to a key which security researchers should use to securely talk to you. Remember to include "https://".
placeholder: https://example.com/pgp-key.txt
spec: 4
-
name: Acknowledgments
id: acknowledgments
tags: ['Optional']
help: >
A link to a web page where you say thank you to security researchers who have helped you. Remember
to include "https://".
placeholder: https://example.com/hall-of-fame.html
spec: 1
-
name: Preferred-Languages
id: preferredLanguages
tags: ['Optional', 'Only 1 allowed']
help: >
A comma-separated list of language codes that your security team speaks. <strong>You may include more
than one language</strong>.
placeholder: en, es, ru
spec: 8
-
name: Canonical
id: canonical
tags: ['Optional']
help: >
The URLs for accessing your security.txt file. It is important to include this if you are
digitally signing the security.txt file, so that the location of the security.txt file can be digitally
signed too.
placeholder: https://example.com/.well-known/security.txt
spec: 2
-
name: Policy
id: policy
tags: ['Optional']
help: >
A link to a policy detailing what security researchers should do when searching for or reporting security
issues. Remember to include "https://".
placeholder: https://example.com/security-policy.html
spec: 7
-
name: Hiring
id: hiring
tags: ['Optional']
help: A link to any security-related job openings in your organisation. Remember to include "https://".
placeholder: https://example.com/jobs.html
spec: 6
-
name: CSAF
id: csaf
tags: ['Optional']
help: A link to the provider-metadata.json of your CSAF (Common Security Advisory Framework) provider. Remember to include "https://".
placeholder: https://example.com/.well-known/csaf/provider-metadata.json
input: url
spec: IANA
url: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#718-requirement-8-securitytxt
recent_changes: >
The date format for Expires has changed to ISO 8601. An example of the new format is <code>Expires: 2021-12-31T18:37:07.000Z</code>.
---
<div id="txt-notification">
<div class="notification is-success is-pulled">
<button onclick="removeNotification()" class="delete"></button>
<h1>Your security.txt file has been copied to your clipboard!</h1>
</div>
</div>
<section class="section">
<div class="container">
<h1 class="title">Summary</h1>
<p>
“When security risks in web services are discovered by independent security
researchers who understand the severity of the risk, they often lack the
channels to disclose them properly. As a result, security issues may be left
unreported. security.txt defines a standard to help organizations define the
process for security researchers to disclose security vulnerabilities securely.”
</p>
<br>
<p>
<code>security.txt</code> files have been implemented by <a
href="https://www.google.com/.well-known/security.txt">Google</a>,
<a
href="https://www.facebook.com/.well-known/security.txt">Facebook</a>,
<a
href="https://github.com/.well-known/security.txt">GitHub</a>,
<a href="https://www.gov.uk/help/report-vulnerability">the UK
government</a>, and many other organisations. In addition, the
<a
href="https://security-guidance.service.justice.gov.uk/implement-security-txt/#implementing-securitytxt">UK’s
Ministry of Justice</a>, the <a
href="https://cyber.dhs.gov/bod/20-01/#can-we-use-a-securitytxt-file">Cybersecurity
and Infrastructure Security Agency (US)</a>, the <a
href="https://www.legifrance.gouv.fr/download/pdf?id=huJxqCKNNKgkcV7KPeMiEGdoyaiZlDDLDoWKNzrjT-Y=">French
government</a>, the <a
href="https://docs.italia.it/italia/developers-italia/gl-acquisition-and-reuse-software-for-pa-docs/en/stabile/attachments/annex-A-Guide-to-publishing-software-as-open-source.html?highlight=security.txt#security">Italian
government</a>, the <a href="https://www.digitaltrustcenter.nl/securitytxt">Dutch government</a>, and the <a
href="https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/vulnerability-disclosure-programs-explained">Australian
Cyber Security Centre</a> endorse the use of security.txt files.
</p>
</div>
</section>
<div class="container has-text-centered">
<img width="500px" height="auto" src="https://user-images.githubusercontent.com/18099289/154065277-fdfe0360-04cd-47a2-aca8-4293fedcc617.png" alt="">
</div>
<section class="section">
<div class="container">
<h1 class="title">Step 1</h1>
<p>Create a text file called <code>security.txt</code> under the <code>.well-known</code> directory of your project.</p>
<br>
<form id="genform">
{% if page.recent_changes %}
<article class="message is-warning">
<div class="message-header">
Recent changes to the specification
</div>
<div class="message-body">
<p>{{ page.recent_changes }}</p>
</div>
</article>
{% endif %}
<article id="validation-errors-box" class="message is-danger is-hidden">
<div class="message-body">
<p>
The Contact field failed to validate. Please ensure it starts with <code>mailto:</code> for e-mail addresses,
<code>tel:</code> for telephone numbers, or <code>https://</code> for web URIs.
</p>
<p>For example, <code>mailto:[email protected]</code>.</p>
</div>
</article>
{% for directive in page.directives %}
<fieldset class="box" id="{{directive.id}}">
<legend class="label">
{{ directive.name }}
{% for tag in directive.tags %}
<span class="tag {{ page.directive_tags[tag] }}">{{ tag }}</span>
{% endfor %}
</legend>
<p class="help">
{{ directive.help }} See
{% if directive.spec == 'IANA' %}
<a target="_blank" rel="noopener"
href="{{directive.url}}">
the full description of {{ directive.name }}
</a>
{% else %}
<a target="_blank" rel="noopener"
href="https://www.rfc-editor.org/rfc/rfc9116#section-2.5.{{directive.spec}}">
the full description of {{ directive.name }}
</a>
{% endif %}
</p>
<ul class="list-of-inputs">
{% if directive.input == 'datetime' %}
<li class="field has-addons">
<div class="control">
<input type="date" placeholder="YYYY-MM-DD" class="input" required>
</div>
<div class="control">
<input type="time" placeholder="HH:MM" class="input" required>
</div>
</li>
{% else %}
<li class="field">
<div class="control">
<input class="input" placeholder="{{ directive.placeholder }}" type="{{ directive.input }}"
{% if directive.tags contains 'Required' %} required {% endif %}
{% if directive.id == 'contact' %}
onchange='autoprefixEmail(this);'
{% endif %}
>
{% if directive.id == 'contact' %}
<p class="is-hidden help is-danger">
Each contact field must begin with https:// for web URIs; tel: for telephone numbers; or mailto: for e-mails.
</p>
{% endif %}
</div>
</li>
{% endif %}
</ul>
<div class="field">
<div class="control">
<button type="button" class="button" onclick="addAlternative(this)"
{% if directive.tags contains 'Only 1 allowed' %} disabled {% endif %}
>
Add another alternative
</button>
</div>
</div>
</fieldset>
{% endfor %}
<input class="button is-success" type="submit" value="Generate security.txt file">
</form>
</div>
</section>
<section class="section">
<div class="container">
<h1 class="title" id="step-two">Step 2</h1>
<p>You are ready to go! Publish your security.txt file. If you want to give security researchers confidence that your security.txt file is authentic, and not planted by an attacker, consider <a target="_blank" rel="noopener" href="https://www.rfc-editor.org/rfc/rfc9116#section-2.3">digitally signing</a> the file with an OpenPGP cleartext signature.</p>
<div class="field">
<div class="control">
<textarea id="text-to-copy" class="textarea" readonly></textarea>
</div>
</div>
<div class="field">
<div class="control">
<button id="copy-button" class="button button-primary" disabled="true" onclick="copyTextarea()">Copy to clipboard</button>
</div>
</div>
</div>
</section>
<section class="section">
<div class="container content">
<h1 class="title">Frequently asked questions</h1>
<h5>What is the main purpose of security.txt?</h5>
<p>The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.</p>
<h5>Is security.txt an <a href="https://en.wikipedia.org/wiki/Request_for_Comments"><abbr title="Request For Comments">RFC</abbr></a>?</h5>
<p><a href="https://datatracker.ietf.org/doc/html/rfc9116">Yes</a>! We welcome contributions from the public: <a href="https://github.com/securitytxt/security-txt">https://github.com/securitytxt/security-txt</a></p>
<h5>Where should I put the security.txt file?</h5>
<p>For websites, the security.txt file should be placed under the <code>/.well-known/</code> path (<code>/.well-known/security.txt</code>) [<a href="https://tools.ietf.org/html/rfc8615"><abbr title="Request For Comments">RFC</abbr>8615</a>]. It can also be placed in the root directory (<code>/security.txt</code>) of a website, especially if the <code>/.well-known/</code> directory cannot be used for technical reasons, or simply as a fallback. The file can be placed in both locations of a website at the same time.</p>
<h5>Are there any settings I should apply to the file?</h5>
<p>The security.txt file should have an Internet Media Type of <code>text/plain</code> and must be served over HTTPS.</p>
<h5>Will adding an email address expose me to spam bots?</h5>
<p>The email value is an optional field. If you are worried about spam, you can set a URI as the value and link to your security policy.</p>
</div>
</section>
<section class="section">
<div class="container content">
<h1 class="title">Video summary</h1>
<p><a href="https://twitter.com/LiveOverflow">LiveOverflow</a>
produced a video summarising the most
important facts surrounding <code>security.txt</code> files.
<b>Please note:</b> the video was produced on April Fool's Day and
therefore includes a few tongue-in-cheek comments about people
getting <a
href="https://twitter.com/LiveOverflow">LiveOverflow</a>
and <a href="https://twitter.com/EdOverflow">EdOverflow</a>
mixed up.</p>
<div style="position:relative;padding-bottom:56.25%;height:0;overflow:hidden;">
<iframe style="position:absolute;top:0;left:0;" width="100%" height="100%" src="https://www.youtube.com/embed/f-FbcobQQb8" frameborder="0" allowfullscreen></iframe>
</div>
</div>
</section>
<script src="{{ "/js/genform.js" | relative_url}}?v={{ site.time | date: "%s" }}"></script>