A File Format to Aid in Security Vulnerability Disclosure

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, Kathleen.Moriarty.ietf@gmail.com, draft-foudil-securitytxt@ietf.org, kaduk@mit.edu, rfc-editor@rfc-editor.org
Subject: Document Action: 'A Method for Web Security Policies' to Informational RFC (draft-foudil-securitytxt-08.txt)

The IESG has approved the following document:
- 'A Method for Web Security Policies'
  (draft-foudil-securitytxt-08.txt) as Informational RFC

This document has been reviewed in the IETF but is not the product of an IETF
Working Group.

The IESG contact person is Benjamin Kaduk.

A URL of this Internet Draft is:

Technical Summary

This document defines a file format ("security.txt") to help organizations
publish their contact information and procedures for disclosure of
security vulnerabilities.  This is expected to improve the ability of
security researchers to be able to provide their results in an actionable
form.  Note that vulnerability disclosure is distinct from incident response,
and this mechanism is not necessarily well suited for use in incident
response, but there are other mechanisms defined for coordinating
incident response.

Working Group Summary

This document is AD-sponsored, so there is no specific WG
for it.  However, discussion did occur on the SAAG list as well
as during IETF Last Call.  The document was rather contentious,
with the most debated point being the risk that use of security.txt
to report compromise is highly flawed, since an attacker that has
compromised the hosting system could change its contents.
There was also discussion of whether the format should be more
readily machine parsable; the current structure targets only human
consumption, since human judgment will be needed for many of the
steps in actually using the information it contains.  Other topics from
the last-call review are mentioned in the summary message of the
last-call comments, available at
The document was updated to address these concerns, including emphasizing
the intended use for vulnerability disclosure (not incident response), and
the need for human judgment in processing the contents.

Document Quality

The security.txt file is already in use by many organizations and
referenced from external documents.  An informal survey of
HTTP sites providing security.txt information, as summarized
at https://github.com/securitytxt/security-txt/issues/191
finds that many are well formed, though some minor syntactic
errors are present in others.


The Document Shepherd is Kathleen Moriarty.
The responsible AD is Benjamin Kaduk.