Handling security incidents is an extremely time consuming process, not just for the affected organization (who needs to patch the vulnerability, make the public disclosure, etc.) but also for the researchers who adhere to the principle of responsible disclosure. The
responsible disclosure requirers the researchers to make a private disclosure to the affected organization which can be extremely frustrating procedure if there is no clear contact designated by the organization for handlings such matters.
In many instances, researchers are forced to establish contact via social media, call centers, online chats, ticking systems and what not, in order to open a private channel to facilitate the security disclosures. This leads to loss of valuable time that leaves the organization vulnerable for longer period of time.
The RFC2142 proposes establishing a mailbox
SECURITY@domain specifically to handle security related queries. Despite this, the main problem is that many organizations have no agreed way in which this information will be easily available for people seeking to do the disclosure. A recent RFC proposes a simple way of making this information available for people.
security.txt file is a simple text file just like
robots.txt for any website. This security text file contains the information on who to contact or where to look for security specific information about a particular organization. A special website securitytxt.org provides an organization with all the information necessary to understand this niche file. An example of
security.txt for google is as following:
Contact: https://g.co/vulnz Contact: mailto:firstname.lastname@example.org Encryption: https://services.google.com/corporate/publickey.txt Acknowledgement: https://bughunter.withgoogle.com/ Policy: https://g.co/vrp Hiring: https://g.co/SecurityPrivacyEngJobs
Such file contains precisely the information a researcher would need, should they need to contact Google for security issues. The file is supposed to be reside in the
/.well-known/ path of the domain. If any organization has email address that should be used for reporting security incidents then its highly recommended setting up such a
security.txt file. Its extremely simple (the website mentioned earlier also has this file generator) and it will save the crucial time in the event of researcher wanting to contact about security issue.
- Github repo contact.sh
An OSINT tool to find contacts in order to report security vulnerabilities.