While security researchers are adept at discovering vulnerabilities and measuring their impact, disclosing vulnerabilities to affected stakeholders has traditionally been difficult. Beyond public notices such as CVEs, there have traditionally been few appropriate channels through which to directly communicate the nature and scope of a vulnerability to those directly impacted by it. Security.txt is a relatively new proposed standard that hopes to change this by defining a canonical file format and URI through which organizations can provide contact information for vulnerability disclosure. However, despite its favourable characteristics, limited studies have systematically analyzed how effective Security.txt might be for a widespread vulnerability notification campaign. In this paper, we present a large-scale study of Security.txt’s adoption over the top 1M popular domains according to the Tranco list. We measure specific features of Security.txt files such as contact information, preferred language, and RFC version compliance. We then analyze these results to better understand how suitable the current Security.txt standard is for facilitating a large-scale vulnerability notification campaign, and make recommendations for improving future version of the standard.
Characterizing the Adoption of Security.txt Files and their Applications to Vulnerability Notification
William Findlay (Carleton University) and AbdelRahman Abdou (Carleton University)
View More Papers
Let’s Authenticate: Automated Certificates for User Authentication
James Conners (Brigham Young University), Corey Devenport (Brigham Young University), Stephen Derbidge (Brigham Young University), Natalie Farnsworth (Brigham Young University),...
Read MoreF-PKI: Enabling Innovation and Trust Flexibility in the HTTPS...
Laurent Chuat (ETH Zurich), Cyrill Krähenbühl (ETH Zürich), Prateek Mittal (Princeton University), Adrian Perrig (ETH Zurich)
Read MoreComparative Analysis of the DoT with HTTPS Certificate Ecosystems
Ali Sadeghi Jahromi, AbdelRahman Abdou (Carleton University)
Read MoreA Study on Security and Privacy Practices in Danish...
Asmita Dalela (IT University of Copenhagen), Saverio Giallorenzo (Department of Computer Science and Engineering - University of Bologna), Oksana Kulyk...
Read More