A simple securit.txt might just be Contact: [mailto:security@examplesite.com](mailto:security@examplesite.com)
Real world examples:
*
https://www.nytimes.com/.well-known/security.txt
https://www.theguardian.com/.well-known/security.txt
One weird thing is both these examples are technically incorrect - the specification says an "Expires" date is required. For example Expires: 2024-01-01 S
https://datatracker.ietf.org/doc/html/rfc9116#name-expires
https://www.uriports.com/blog/security-txt/ says that 46% of security.txt have no Expiry field. Presumably because it makes no sense to use it.
My question is: WHY would contact info require an expiry?
a) Normal contact info like examplesite.com/contact would not have an expiry date so why not just assume that would security.txt works the same? Just visit the page and get the latest info
b) Are security researchers actually storing old secutity.txt files?
c) How are we supposed to guarantee that some contact info is valid in the future? You might lose your domain next week - so you might not even wanna promise "this is valid until december"
I can't even guess what the point is. Is it intended for long term bug bounty hunters? Who crawl thousands of sites - and plan to spend X months hunting for bugs on one site - but they have bad experiences with not being able to report bugs before the site shuts down their security.txt email - so now they only pick sites which have an Expiry more than X months in the future? submitted by /u/SillAndDill
[link] [comments]
http://dlvr.it/T4FwRt
No comments:
Post a Comment