Our team at CISA often receives questions about why creation of a “security.txt” file was included as one of the priority Cybersecurity Performance Goals (CPGs). Why is it so important? Well, it’s such a simple concept, but it provides great value to all of those involved in vulnerability management and disclosure.
When security researchers and bug hunters uncover vulnerabilities in an organization’s ecosystem, how do they even know who to reach out to? Without clear reporting channels, researchers may be unable to quickly discern where to report vulnerabilities – meanwhile the organization remains vulnerable to attackers. However, there is an opportunity for all organizations to overcome this obstacle in line with CISA’s guidance through a simple text file - the security.txt file.
Earlier this year, CISA launched the Ransomware Vulnerability Warning Pilot (RVWP) program, which proactively discovers and notifies organizations of their exposure to internet-accessible vulnerabilities used in ransomware attacks. This is a proactive program used to enable organizations to take early mitigation measures before an incident occurs. Our current notification process can be hampered by the inability to find appropriate point of contact information for organizations. According to a recent study, only about a half of a percent of the world’s top one million websites publish a security.txt file. The lack of this simple file leads to multiple emails and phone calls to the organization, delaying the notification process and the organization’s awareness of the critical need to mitigate their risk to ransomware.
In an effort to accelerate the delivery of all notifications, CISA supports using the “security.txt” standard to streamline notifications and reduce the risk of compromise. It not only helps our work but also supports other partners that try to warn organizations of internet-accessible vulnerabilities susceptible to cyber threat actors – this is most important for organizations aligned to our most valuable critical infrastructure sectors.
For those that don’t already know, the security.txt is a proposed Internet standard, RFC 9116, which concisely advertises an entity’s vulnerability disclosure process. Like robots.txt, this machine-readable file resides on a public-facing webserver, either in the root or “well-known” directory, where security professionals and researchers can quickly identify the entity’s preferences for reporting vulnerabilities. Each domain and subdomain within an entity’s network should have its own security.txt file.
CISA’s security.txt file resides on our public-facing domain, at https://www.cisa.gov/security.txt (this will redirect, per our canonical):
Contact: mailto:ContactOCIO@cisa.dhs.gov
Expires: 2024-10-01T00:00:00.000Z
Encryption: https://www.cisa.gov/contact-us
Hiring: https://www.cisa.gov/careers
Generally, security.txt files should contain the following information:
Contact | How researchers should contact entities to report security vulnerabilities, such as email, phone number, or a web page. Entities should list contact methods by order of preference, with the first being most preferred. | Required |
Expires | Date and time after which the data contained in the "security.txt" file is considered stale and should not be used. | Required |
Encryption | Link to the entity's public key (like OpenPGP) for researchers to encrypt communications with the entity. | Optional |
Canonical | Canonical URIs where the “security.txt” file is located. Example:
Canonical: https://www.cisa.gov/sites/default/files/security.txt | Optional |
Acknowledgements | Link to a page where security researchers are recognized for their reports and collaboration. | Optional |
Preferred-Languages | Comma-separated list of natural language in which researchers can submit reports to the entity. If the field is omitted, researchers should assume the preferred language is English. (Communication is key.) Example (for English, Spanish, and French): Preferred-Languages: en, es, fr | Optional |
Policy | Link to the location of the entity’s vulnerability disclosure policy and reporting practices. | Optional |
Hiring | Link to the entity’s security-related job positions. | Optional |
CSAF | A link to the provider-metadata.json of your CSAF (Common Security Advisory Framework) provider. Remember to include "https://". See the full description of CSAF | Optional |
CISA recommends that all organizations adopt “security.txt” standards. As part of the larger cybersecurity community, you can help to advance the adoption of Cybersecurity Performance Goals (CPGs) and make every American’s critical infrastructure more resilient. A small contribution to add this simple file and ensure it stays updated will make a huge impact in not only improving your own organization’s security but also the national cybersecurity ecosystem!