security.txt is like robots.txt, but for security policies

Originally published at: security.txt is like robots.txt, but for security policies | Boing Boing

1 Like

Does security.txt go in /.well-known along with dnt-policy.txt, where they’ll be alone and forgotten but at least they’ll have each other?


Comments Link in article does not link to comments.

1 Like

Our ass: covered
Our house counsel: vaguely technophobic and a lot more expensive than yours
Our desire to do maintenance: nonexistent.

1 Like

Aw, I was hoping that this was even more like robots.txt - a mechanism to kindly ask third parties not to take advantage of loopholes that the site maintainer has no intention to fix.



I briefly had the same thought. I wonder if Onion has already done it (see: Evil Bit)

Isn’t this the type of thing webmaster@ and abuse@ are for already?

I was hoping to see something that is a bit more descriptive discussing the impacts on USER (browser client) security indicating what are the essential elements vs what could be dangerous loaded content.

I don’t buy the offloading of advertisements to a 3rd party for screening/review/inclusion if there is no way to identify and exclude “malvertisements.”

If the sites will not take such responsibility, at least give some guidance so that I can properly configure by browser to work correctly with you site. Something like a functional description for any site elements that want to run scripts, their intended purpose, and are they “safe to run”.

1 Like

nicely played.

I’m reminded of the Curator’s Code, a proposed standard for crediting blog-post sources— a letter of the law so likely to be brought to bear against its spirit that everyone in the business of giving credit knew instinctively never to use it.

uh, how could The Curator’s Code “be brought to bear against its spirit”?

It’s probably more reasonable to ask what did happen instead of what could have happened.

The UK government is also trialling ways to make it easier to report site vulnerabilities, but no sign of them using security.txt, e.g. Report a vulnerability on an MOD system. I’m all in favour of clear ways for researchers to report vulnerabilities and for them to have clear guidelines - it’s certainly better than firing an email into the ether.

↬ becomes no longer a signifier of the source of original authorship, but a general attribution of discovery. It implies that the two are equal, and most everyone would agree that they’re not.

This topic was automatically closed after 5 days. New replies are no longer allowed.