1. 17

  2. 6

    Seems like this would require some extra infrastructure/monitoring to make sure the security.txt itself is not tampered with. Imagine malware infecting popular webservers that rewrites email addresses to one owned by the hacker.

    It wouldn’t be too farfetched to register a fake email and domain appsec@example-security.net for a target website example.com and get free 0day security disclosures to your inbox. The separate domain is little suspicious, sure, but if security contact info were always obvious like security@example.com (primary domain) then security.txt wouldn’t be that necessary in the first place.

    What would the extra protection look like? Maybe start with PGP signing the security.txt file? But wait, the PGP file is part of the proposed contents of security.txt. The hacker could change that URL too. Hmm.

    I guess my point is, adding an important file like this is not as trivial as it sounds. It’s not merely a convenience, but also an additional point of attack. Sure, it may not be that likely for a file to be compromised in the first place, but the rewards for compromising the file would be pretty huge depending on the company/owner. So this really requires someone to pay attention to their web stack, which may be a tall order for a non-web developer trying to setup a simple info website for their non-web product, for example.

    1. 3

      I’m far from a security expert but I don’t see the need of being signed (certifying who signed it). You just need to be sure that it didn’t changed in time, and if it does, you need a way to check it’s normal. I was thinking to few ideas that might be total crap:

      • Store a strong hash of it in a DNS TXT field?
      • Store it on a blockchain? So you have an history of previous hashes.
      1. 1

        The security implications for this don’t seem to be any different from hosting a Security page in HTML on your website explaining your reporting process?

        1. 2

          I guess the differences are that security.txt is trying to be a standard, and is not visible on the website itself. If the owner doesn’t know about it, a hacker can put one there without the owner ever noticing, since it’s not visible when browsing the website. But security researchers may still use it, assuming the owner put it there.

      2. 1

        I finally found one in the wild: https://gratipay.com/security.txt