For example, just this morning a trusted source forwarded me the VPN credentials for a major clothing retailer that were stolen by malware and made available to cybercriminals. Having a security.txt file can make it easier for organizations to respond to active security threats. Like USAA and many other organizations that have published security.txt files, HCA Healthcare also includes a link to information about IT security job openings at the company. Other security.txt disclosures are less verbose, as in the case of HCA Healthcare, which lists a contact email address, and a link to HCA’s “responsible disclosure” policies. The security.txt file made available by USAA, for example, includes links to its bug bounty program an email address for disclosing security related matters its public encryption key and vulnerability disclosure policy and even a link to a page where USAA thanks researchers who have reported important cybersecurity issues.
What’s in the security.txt file varies somewhat, but most include links to information about the entity’s vulnerability disclosure policies and a contact email address. The idea behind Security.txt is straightforward: The organization places a file called security.txt in a predictable place - such as /security.txt, or /.well-known/security.txt.
0 kommentar(er)
