back to article Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?

Security researcher E. Foudil is pushing a scheme to make it easier for bug finders to notify companies about problems with their technology. The idea revolves around “security.txt” - a simple text file, much like robots.txt, that contains information on whom to contact or where to look for security related information about a …

  1. Alan J. Wylie

    first publicised back in September

    September 15, 2017

    Ed Foudil, a web developer and security researcher, has submitted a draft to the IETF — Internet Engineering Task Force — seeking the standardization of security.txt, a file that webmasters can host on their domain root and describe the site's security policies.

  2. Anonymous Coward
    Anonymous Coward

    Can I have your customer number?

    "Not a customer? Sorry, we don't want to hear about our product unless you've actually given us cash in the past".

    Typical response trying to notify peeps, been there, done that. But then again, there is a "reason" why it's so hard to reach the right person.

    That guy/gal is probably wearing 15 hats and hiding from their paying customers. Don't have time for free lance help desk tickets...

  3. DCFusor

    False hits

    If adopted, this will be:

    DOSed to death

    Falsely reported by people who aren't qualified to know a true bug or give replication info

    Cost more than it's worth to separate the wheat from the chaff.

    I'm sympathetic to getting real bug info to the right place more easily, but I don't see how this solves anything much - there are reasons, some listed above, why manufacturers don't already make it easy for any random person to waste the time of their developers.

    Obviously, the manufs have gone too far here and just ignore it all, but any real solution is going to have to have someone "watch the watchers" and come up with money/effort to do the screening.

    1. Anonymous Coward
      Anonymous Coward

      Re: False hits

      This. As soon as you list contact details, it will become like whois and 'abuse' addresses, will get spammed to death, and ultimately ignored by the other side. As it benefits only a small number of people (security researchers) I hardly find it will have a wide adoption except by big companies, which already have bug bounty programs anyway.

  4. Alister

    So, Scott, you want me to publish an easily discoverable text file containing an email address, phone number etc, on all our sites?

    And you don't think that, perhaps, we might be spammed to death within hours of putting it up?

  5. phishcop

    Nice idea, but...

    Nice idea, but it's not going to work. Most of the sites I run across with problems have already been hacked. If the hacker can add files, he/she can usually remove files as well. If this became a standard, the security.txt file would be the first thing they delete.

    What you're trying to accomplish can already be done with WHOIS (providing the people maintaining and enforcing WHOIS databases do their job). Unfortunately, ICANN and others think it's more important that people can hide (a.k.a. "Domain Privacy") than the original intent of the WHOIS data, which was to provide reliable contact information to owners of a domain or IP address!!

  6. This post has been deleted by its author

  7. stefbishop

    Use DNS

    DNS provides for a contact address in its SOA record.

  8. Stuart Halliday

    Would be nice if the vendors did a version.txt of their software too.

  9. Robert Carnegie Silver badge


    For a web site, isn't this just mailto:webmaster@web-site-name.tld ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021