Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?

Plan to cut through hassle of security notifications

Security researcher E. Foudil is pushing a scheme to make it easier for bug finders to notify companies about problems with their technology.

The idea revolves around “security.txt” - a simple text file, much like robots.txt, that contains information on whom to contact or where to look for security related information about a website. Ready access to this information would reduce the headaches involved in the often fraught security bug notification process, as web security guru Scott Helme explained:

Bad things happen and organisations need to respond quickly to resolve them but one things that's always slowed down the process was me not being able to find who I should speak to. I've been through call centres, online chats, support tickets systems, social media and who knows what else just to try and raise an issue with the right person.

The process is a nightmare, consumes significant amounts of my time and ultimately leaves the website and users vulnerable for even longer.

The idea, conceived by Foudil back in September, has been put forward as an RFC. The securitytxt.org website offers more information.

The scheme is analogous with robots.txt, the file websites use to specify what pages can and shouldn’t be indexed by search engines and other web crawlers.

Helme told El Reg he's seen positive feedback on the idea from security researchers. “It's getting good backing from the researchers,” Helme explained. “I've started tracking the use of the text file in the Alexa Top 1 Million sites and it's as low as expected right now.”

“[It] would be nice to see sites adopting this so researchers like me can disclose quickly and easily to better protect users,” he added. ®




Biting the hand that feeds IT © 1998–2018