Technical Summary
This document defines a file format ("security.txt") to help organizations
publish their contact information and procedures for disclosure of
security vulnerabilities. This is expected to improve the ability of
security researchers to be able to provide their results in an actionable
form. Note that vulnerability disclosure is distinct from incident response,
and this mechanism is not necessarily well suited for use in incident
response, but there are other mechanisms defined for coordinating
incident response.
Working Group Summary
This document is AD-sponsored, so there is no specific WG
for it. However, discussion did occur on the SAAG list as well
as during IETF Last Call. The document was rather contentious,
with the most debated point being the risk that use of security.txt
to report compromise is highly flawed, since an attacker that has
compromised the hosting system could change its contents.
There was also discussion of whether the format should be more
readily machine parsable; the current structure targets only human
consumption, since human judgment will be needed for many of the
steps in actually using the information it contains. Other topics from
the last-call review are mentioned in the summary message of the
last-call comments, available at
https://mailarchive.ietf.org/arch/msg/saag/bmsyx9JKnuugpHvajw9svD0B0ks/
The document was updated to address these concerns, including emphasizing
the intended use for vulnerability disclosure (not incident response), and
the need for human judgment in processing the contents.
Document Quality
The security.txt file is already in use by many organizations and
referenced from external documents. An informal survey of
HTTP sites providing security.txt information, as summarized
at https://github.com/securitytxt/security-txt/issues/191
finds that many are well formed, though some minor syntactic
errors are present in others.
Personnel
The Document Shepherd is Kathleen Moriarty.
The responsible AD is Benjamin Kaduk.