Skip to content

About the security.txt

securitytxt.jpg

What is it ?

“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”

security.txt files have been implemented by GoogleFacebookGitHubthe UK government, and many other organisations. In addition, the BSI (the UK’s Ministry of Justice, the Cybersecurity and Infrastructure Security Agency (US), the French government, the Italian government, the Dutch government, and the Australian Cyber Security Centre endorse the use of security.txt files.

Frequently asked questions

What is the main purpose of security.txt?

The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.

Is security.txt an RFC?

Yes! We welcome contributions from the public: https://github.com/securitytxt/security-txt

Where should I put the security.txt file?

For websites, the security.txt file should be placed under the /.well-known/ path (/.well-known/security.txt) [RFC8615]. It can also be placed in the root directory (/security.txt) of a website, especially if the /.well-known/ directory cannot be used for technical reasons, or simply as a fallback. The file can be placed in both locations of a website at the same time.

Are there any settings I should apply to the file?

The security.txt file should have an Internet Media Type of text/plain and must be served over HTTPS.

Will adding an email address expose me to spam bots?

The email value is an optional field. If you are worried about spam, you can set a URI as the value and link to your security policy.

If I do not have an Security-Team in house can i point to sematicon?

YES. Our products allow to put a security.txt for every web-portal being used. If you are using our products only you can use our SRT-Team for Contact. Point to https://security.sematicon.com

Warning

We only accept contacts and security related questions about our products, services and integrated components. If you misuse the service, you will face criminal and civil prosecution.