Discover more from Securing Laravel
Security Tip: security.txt
[Tip#9] security.txt is a simple way to share your security contacts to make vulnerability reporting easier.
⚠️ Want me to hack into your app and tell you how I did it, so you can fix it before someone else finds it? Book in a Laravel Security Audit and Penetration Test! 🕵️
security.txt file is a proposed standard for defining the security policies of a website. It lives in the
/.well-known/ subdirectory and should be a publicly readable text file. The goal of a
security.txt file is to make it simple for anyone wishing to report a security concern to get in contact with the right person quickly, without needing to dig through subpages and support docs to find the right email, or having to convince a support rep about an issue and jump through support hoops.
The best place to get started is the proposal at: https://securitytxt.org/
There you will find a wizard to help you build your own
security.txt file. Once you have the file, simply upload it to your site as:
Securing Laravel is 100% reader-supported. Please consider subscribing to receive weekly Security Tips (like this one!), monthly In Depth articles, and to support my security work within the Laravel & PHP Community!
For example, this is the security.txt file on my site:
Contact: mailto:firstname.lastname@example.org Contact: https://twitter.com/valorin Expires: 2024-09-14T14:00:00.000Z Encryption: https://keybase.io/valorin Encryption: https://stephenreescarter.net/pgp-key.txt Preferred-Languages: en
And the one on google.com:
Contact: https://g.co/vulnz Contact: mailto:email@example.com Encryption: https://services.google.com/corporate/publickey.txt Acknowledgements: https://bughunters.google.com/ Policy: https://g.co/vrp Hiring: https://g.co/SecurityPrivacyEngJobs
Contact: https://hackerone.com/amazonvrp/reports/new Hiring: https://www.amazon.jobs/en/teams/infosec # Bug Bounty Policy: Policy: https://hackerone.com/amazonvrp # For vulnerabilities related to Amazon Web Services (AWS): https://aws.amazon.com/security/vulnerability-reporting/
If you want to keep digging into more examples, Scott Helme maintains a list of sites in the Top 1 Million Sites which have a
security.txt file: https://crawler.ninja/files/security-txt-sites.txt