Security.txt -file (RFC 9116) generator

Posted by Keijo Korte on Monday, May 1, 2023
Last Modified on Wednesday, June 7, 2023

Simple Goland based security.txt generator

I just created my first application with Golang. I am pretty sure that the code is ugly, but it works :)

What is Security.txt

Security.txt is based on RFC 9116 and nowadays it has been implemented by various companies. The idea is to create a file that can be distributed on a website, from a predefined address ( https://xxx.test/.well-known/security.txt). The content of the file tells how the organisation can be contacted if security problems and vulnerabilities are found in the organisation’s services.

Quote from Securitytxt.org

“When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.”`

1Contact: https://g.co/vulnz
2  
3Contact: mailto:[email protected]  
4Encryption: https:
5//services.google.com/corporate/publickey.txt
6  
7Acknowledgements: https://bughunters.google.com/
8  
9Hiring: https://g.co/SecurityPrivacyEngJobs

Example of Google’s security.txt (RFC non-compliant).

Security.txt Usage in 2022

Red maple techologies created a survey from an aggregated list of the top 1 million visited websites based on several datasets + most valuable companies in UK and US + several financial companies based in UK.

99,63% of top 1M websites doesn’t use security.txt file. The columns indicate which fields are used.

image

Big companies

FTSE 100
The results show that 5 websites have a security.txt -file, while 95 do not.

S&P 500
The results show that 18 (3.6%) have a security.txt -file, while 472 (96.4%) do not.

The survey shows that the adoption of security.txt is slow. But hopefully more and more organisations will adopt this to make it easier to get in touch when security problems arise.

Gensectext application

Since I want to share the joy of security.txt file with the world, I made a small program that generates and optionally signs the file easily and conveniently. You can put it for example in the CI/CD release pipeline. The Golang application can be found from Github.

This was my first “real” Go-application, and it looks like it :)