"When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.” - securitytxt.org

Our aim with this project is to:

• Help the community with the information where to submit vulnerabilities for the most popular websites
• Bring more attention to security.txt policies and their significance
• Have comprehensive research of the top 10000 websites and per country on the current security.txt posture and its improvements over time

• Get the list of countries and their tlds from country-tld.txt file.
• For each country (by using file-splitter)
  • Get hosts for their tld
  • Add http at the beginning of the line sed 's/^/http:\/\//'
  • Use mglwls to create a new potential URLs (i.e. http://host.com/security.txt or http://host.com/.well-known/security.txt)
  • Use ffuf with -mr parameter to match Contact: or Policy: and follow redirects to verify security.txt file
  • Execute bash script to generate the csv files per country
  • Execute python to generate a graph with statistics for each of the countries

Note: As described, almost everything in this repository is generated automatically. We carefully designed the workflows (and continue to develop them) to ensure the results are as accurate as possible.

All contributions/ideas/suggestions are welcome! If you want to add/edit a target/workflow, feel free to create a new ticket via GitHub issues, tweet at us @trick3st, or join the conversation on Discord.

We believe in the value of tinkering. Get Access to the Trickest platform to customize this workflow to your use case, get access to many more workflows, or build your own from scratch!