Security.txt is a "standard" which allows websites to define security policies. This "standard" sets clear guidelines for security researchers on how to report security issues, and allows bug bounty programs to define a scope. Security.txt is the equivalent of robots.txt, but for security issues.

Website

https://securitytxt.org/ (https://github.com/securitytxt/securitytxt.org)

Security.txt GitHub Organization

https://github.com/securitytxt/

Internet draft

The Internet draft for security.txt can be found here: https://tools.ietf.org/html/draft-foudil-securitytxt-02.

Team

_EdOverflow 💻 🚇 📖 🔒 🐛 🎨 👀 ✉️ 🕷	_TomNomNom 💻 🚇 📖 👀	_{Joel Margolis} 📖 👀	_{Jobert Abma} 📖 🐛 👀 ✉️	_GerbenJavado 📖	_{Justin Calmus} 📖 ✉️	_{Casey Ellis} 📖
_{Ryan Black} 🚇 👀	_{Coen Hyde}	_{Austin Heap} 💻 🚇 📖 🔒 🐛 👀 ✉️ 🕷	_{Karel Origin} 💻 🚇 🔒 🐛	_{Nightwatch Cybersecurity Research} 📖 🐛 👀 ✉️

FAQ

What is the main purpose of security.txt?

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

Is security.txt supposed to replace bug bounty platforms?

No. Security.txt is supposed to accompany them.

Contributing

Contributions from the public are welcome.

Using the issue tracker 💡

The issue tracker is the preferred channel for bug reports and features requests.

Issues and labels 🏷

The bug tracker utilizes several labels to help organize and identify issues.

Guidelines for bug reports 🐛

Use the GitHub issue search — check if the issue has already been reported.

Donations

The security.txt project accepts donations via Liberapay. The money is used to pay bounties to individuals who report valid security vulnerabilities in the security.txt project.

martijnrusschen / security-txt