Internet project security.txt - familiarity with another .well-known file

The main idea of ​​the project is the formalization of interaction between internal information security and external researchers, giving a clear indication of how and where to send information about vulnerabilities or security problems. Interaction formalization is a serious problem, not all sites have bug bounty programs, or even simply indicate security contacts. Attempts to reach through the support service and twitter often end with assurances that “Everything should be like this,” and subsequent ignoring.

Of course, this will only work if the company placing the information in security.txt is ready to check and timely respond to the information received through this channel.



The standard has been developed since August 2017, while it is still only an Internet project ( Internet Draft ) and has not been assigned its own RFC number. Despite this, it is already used by several large companies such as Google , Dropbox , Pixiv . In runet, I managed to find Goloslogos , Clean Line , Top Deck , and Drive2 .
')
The following information is suggested in security.txt:

• Contact method : link to feedback form, bug bounty program or mailing address (this is the only required item)
• PGP public key : to encrypt sensitive information
• Link to Hall of Fame : to express appreciation
• Languages ​​for communication : it is possible to specify several
• The link to security.txt itself : is required for authentication, if you have certified it digitally
• Link to security policy : if your resource has it
• Link to jobs : if you are looking for security professionals

Help with the generation of the file in the correct format can form on the official site.

References:

→ Official website
→ IETF draft text
→ Github Project