Government organisations have been urged to use the security.txt standard for reporting cyber security vulnerabilities.
The National Cyber Security Centre (NCSC) has highlighted the importance of the approach, saying it will help government become more resilient in its online security.
Ollie N, head of vulnerability management at NCSC, has put the case forward in a blogpost, explaining that it will help to ensure the right people will be contacted in reporting a vulnerability.
He said security.txt – a voluntary standard set by the Internet Engineering Task Force – describes a text file that advertises an organisation’s vulnerability disclosure process so that someone can quickly find all the information needed to report a vulnerability. It was endorsed by the Government’s Data Standards Authority in March of this year.
It should be published in the /.well-known directory of the domain root and contains three mandatory fields: for reporting vulnerabilities; a link to the organisation’s vulnerability disclosure policy; and a date and time after which the data in the file should be considered stale and not be used. There is also an optional encryption field.
Policy features
Ollie N added that a vulnerability disclosure policy should define what is expected from someone reporting a vulnerability and what they should do in response. It should contain information on: how to make contact; options for secure communication (such as a secure web form); what information to include in a report; what the finder should expert to happen; and guidance on what is in and out of scope for the finder to do.
“Security.txt will serve the government in its aim to become more resilient in its online security by making it easier for anyone to report vulnerabilities they have found,” he said.
“Quick, easy and secure reporting directly to the affected department speeds up the triage and remediation time and reduces the risk of compromise, such as reporting of a vulnerable web server so it can be remediated before being exploited.”
