Technology has revolutionised every aspect of our society and our economy, including the way that we deliver our public services, helping to make people’s lives easier and safer. Security vulnerabilities are discovered all the time online and people want to be able to report them directly to the organisation responsible. That’s why we are advocating for the use of security.txt as a standardised way of doing just that. One of the most important elements of vulnerability disclosure, and a challenge for the finder, is understanding who to contact.
Security.txt describes a text file that advertises the organisation’s vulnerability disclosure process so that someone can quickly find all of the information needed to report a vulnerability. It is a voluntary standard for internet users set by the Internet Engineering Task Force (RFC 9116).
Security.txt will serve the government in its aim to become more resilient in its online security by making it easier for anyone to report vulnerabilities they have found. Quick, easy and secure reporting directly to the affected department speeds up the triage and remediation time and reduces the risk of compromise, such as reporting of a vulnerable web server so it can be remediated before being exploited. The security.txt was endorsed by the Data Standards Authority in March 2023.
Benefits to government departments & finders
The ability to receive, respond and ultimately fix a reported vulnerability is essential to providing secure products and services. Being open to receiving vulnerability reports helps departments engage constructively with those who find them – ‘finders’. Engaging with finders can be a source of valuable information that would otherwise be missed or require additional time and effort to discover.
Vulnerability disclosure policy
Departments should define what they expect from someone reporting a vulnerability, as well as what they will do in response, by providing a clear policy. This enables the department and the finder to confidently work within an agreed framework.
In its basic form, a vulnerability disclosure policy should contain the following information:
- how you want to be contacted
- secure communication options (for example, a secure web form)
- what information to include in the report
- what the finder should expect to happen
- guidance on what is in and out of scope for the finder to do in finding vulnerabilities
How to implement security.txt
Security.txt is a plaintext file that should be published in the “/.well-known” directory of the domain root.
The file contains three key fields:
CONTACT: How finders should report vulnerabilities. For example, email or secure web form.
POLICY: A link to the department’s vulnerability disclosure policy.
EXPIRES: Indicates the date and time after which the data contained in the “security.txt” file is considered stale and should not be used. The value of this field is formatted according to the Internet profile of [ISO.8601] as defined in [RFC3339]. It is recommended that the value of this field be less than a year into the future to avoid staleness.
The ENCRYPTION field is optional and should link to the PGP public key you wish to be used for encrypted communication.
The National Cyber Security Centre (NCSC) has published the NCSC Vulnerability Disclosure Toolkit that provides information on how to implement security.txt as well as an example vulnerability disclosure policy.
