Does your organization have a Security.txt file? – Krebs on security
It happens all the time: Organizations are hacked because there is no obvious way for security researchers to tell them about security breaches or data leaks. Or perhaps it is not entirely clear who should receive the report when remote access to an organization’s internal network is sold as part of underground cybercrime.
In order to minimize these scenarios, an increasing number of large companies are adopting “Security.txt, A proposed new Internet standard that helps organizations describe their vulnerability disclosure practices and preferences.
The idea behind Security.txt is simple: the organization places a file called security.txt in a predictable location, such as example.com/security.txt or example.com/.well-known/security.txt. The contents of the security.txt file vary somewhat, but most include links to information about the entity’s vulnerability disclosure policies and a contact email address.
The security.txt file provided by United States, for example, includes links to its bug bounty program; an email address to disclose security related matters; its public encryption key and its vulnerability disclosure policy; and even a link to a page where the USAA thanks researchers who have reported significant cybersecurity issues.
The other security.txt disclosures are less detailed, as in the case of HCA Health, who lists a contact email address and a link to HCA’s “responsible disclosure” policies. Like USAA and many other organizations that have posted security.txt files, HCA Healthcare also includes a link to information about job postings in IT security at the company.
Having a security.txt file can make it easier for organizations to respond to active security threats. For example, just this morning, a trusted source handed me the VPN credentials of a large clothing retailer that were stolen by malware and made available to cybercriminals. Cannot find any security.txt file on the retailer’s site using gotsecuritytxt.com (which checks a domain for the presence of this contact file), KrebsonSecurity sent an alert to its “security @” email address for the retailer’s domain.
Many organizations have unofficially (if not advertised) used the security @ email address for a long time.[companydomain] accept reports on security incidents or vulnerabilities. Maybe this particular retailer also did at some point, but my post was returned with a note that the email was blocked. KrebsOnSecurity also messaged the retailer’s Chief Information Officer (CIO) – the only person in a C-level position at the retailer who was part of my immediate LinkedIn network. I still don’t know if anyone has read it.
Although security.txt is not yet an official Internet standard approved by the Internet Engineering Working Group (IETF), its basics have so far been adopted by at least eight percent of Fortune 100 companies. According to a review of the domain names of recent Fortune 100 companies via gotsecuritytxt.com, these include Alphabet, Amazon, Facebook, HCA Health, Kroger, Procter & Gamble, United States and Walmart.
There may be another good reason to consolidate security contact information and vulnerability reports in one predictable place. Alex holden, founder of the Milwaukee-based consulting firm Maintain security, said it is not uncommon for malicious hackers to have trouble getting the attention of the right people within the same organization they just hacked.
“In case of ransom, the bad guys try to contact the company with their demands,” Holden said. “You have no idea how often their messages are filtered, deleted, blocked or ignored.”
PREPARE FOR A DELUGE
So if security.txt is so great, why haven’t more organizations embraced it yet? It seems that setting up a security.txt file tends to attract a fairly high volume of spam. Most of this spam comes from self-appointed penetration testers who, without any invitation to do so, run automated vulnerability discovery tools and then submit the resulting reports in the hope of securing consulting engagement or bug bounty fees.
This dynamic has been a major topic of discussion in these Hacker News feeds on security.txt, in which a number of readers recounted their experience of being so inundated with low-quality vulnerability scan reports that it became difficult to spot which reports are really worth watching thorough.
Edwin “EdOverflow” Foudil, the co-author of the proposed notification standard, recognized that spam reports are a major drawback for organizations that offer a security.txt file.
“This is actually stated in the specification itself, and it’s extremely important to point out that organizations that implement it are going to be inundated,” Foudil told KrebsOnSecurity. “One of the reasons bug bounty programs are successful is that they are basically a glorified spam filter. But whatever approach you take, you’re going to be inundated with these shitty, mediocre reports. “
Often times, these sub-par vulnerability reports come from individuals who scanned the entire internet for one or two security vulnerabilities, then attempted to contact all vulnerable organizations at once in a semi-automatic fashion. -Automatique. Fortunately, Foudil said, many of these nuisance reports can be ignored or aggregated by creating filters that search for messages containing keywords commonly found in automated vulnerability scans.
Foudil said that despite the spam issues, he has heard huge feedback from a number of universities that have implemented security.txt.
“It has been incredibly successful with universities, which tend to have a lot of older legacy systems,” he said. “In that context, we saw a ton of valuable reports. “
Foudil says he’s delighted that eight of the Fortune 100 companies have already implemented security.txt, even though it has not yet been approved as an IETF standard. When and if security.txt is approved, it hopes to spend more time promoting its benefits.
“I’m not trying to make money with this thing, which came about after chatting with quite a few people at DEFCON [the annual security conference in Las Vegas] who struggled to report security issues to vendors, ”Foudil said. “The main reason I’m not doing my best to promote it now is because it’s not yet an official standard. “
Has your organization considered or implemented security.txt? Why or why not? Sound off in the comments below.