security.txt: Standardised contact information for IT security disclosures

IT security vulnerabilities, caused by design and programming errors, threaten a wide variety of systems. The contact methods used so far, such as website forms, are often ineffective for quickly and securely reporting discovered security issues. In addition, legal uncertainties, e.g. due to the “hacker paragraph” (§ 202c StGB in German legislation), make it difficult to responsibly report such vulnerabilities (Responsible Disclosure).

The security.txt specification offers a solution. This is a standardized text file that provides contact and encryption information. This file is stored in the.well-known/ directory on web servers and is globally accessible via a fixed URL. Security researchers and companies can thus communicate with confidence.

The advantages for both sides are that security researchers can be honored, and recognition published. Companies can also attract qualified specialists. The use of security.txt will be mandatory in the future under a new EU regulation to ensure accessibility and avoid fines. Further information and support can be found at https://dguv.de/securitytxt_EN