To address the issue of unreported security vulnerabilities, Cloudflare recently launched a dashboard to help create and manage a security.txt file for website vulnerability disclosures. The generated file adheres to the RFC9116 standard, offering security research teams a standardized method for reporting vulnerabilities.
Designed for any Cloudflare user managing a website, from small business owners to large enterprises, the new dashboard stores information in a distributed database. The security.txt file is generated dynamically, ensuring that updates are reflected in real-time without requiring manual intervention or file regeneration. Alexandra Moraru, threat intelligence product manager, and Sam Khawasé, engineering manager at Cloudflare, write:
Security.txt is becoming a widely adopted standard among security-conscious organizations (...) By offering an automated security.txt generator for free, we aim to empower all of our users to enhance their security measures without additional costs.
Source: Cloudflare blog
The RFC9116 standard introduces a well-organized file format that simplifies security vulnerability reporting by placing a text file in the domain's .well-known folder. Similar in syntax to robots.txt, the security.txt file is designed to be both machine and human-readable, allowing security experts to easily contact a website’s owner to report potential vulnerabilities.
Although the security.txt file allows companies to manage vulnerability reports effectively, one of the current challenges is the low adoption rate and compliance to the standard of the deployed files. Freddie Leeman, security expert, warned earlier this year:
We've launched an extensive project with a three-pronged approach: evaluating the adoption rate, developing a free tool for RFC compliance testing, and pinpointing common implementation mistakes. Among the top one million internet domains, we discovered that 0.7% (6816 domains) have embraced the security.txt file. Strikingly, just 19% of these domains pass RFC compliance!
To ensure compliance, Cloudflare generates the file dynamically and supports optional fields, such as encryption keys and signatures, enabling users to link to their PGP keys for secure communication or include signatures to verify authenticity. Additionally, each security.txt file includes an expiration timestamp, alerting administrators when their information may be outdated.
Contact: https://hackerone.com/cloudflare
Contact: mailto:security@cloudflare.com
# All abuse reports should be submitted to our Trust & Safety team through
# our dedicated page.
Contact: https://www.cloudflare.com/abuse/
Policy: https://www.cloudflare.com/disclosure/
Hiring: https://www.cloudflare.com/careers/jobs/
Preferred-Languages: en
Canonical: https://www.cloudflare.com/.well-known/security.txt
Source: Cloudflare own security.txt file
Describing it as 'a simple file with big value,' the Cybersecurity and Infrastructure Security Agency (CISA) emphasizes how security.txt helps streamline security management. In a popular Reddit thread, a Cloudflare user writes:
I ran into this over the weekend on accident while adjusting a setting. Super cool that this is now a feature.
Previously, Cloudflare open-sourced the Cloudflare Worker for the security.txt generator. Moraru and Khawasé add:
Users who prefer automation can manage their security.txt files through our API, allowing seamless integration with existing workflows and tools. This feature enables developers to programmatically update their security.txt configurations without manual dashboard interactions.
More information on the security.txt standard and a web generator are available online. This new feature is offered to all Cloudflare users at no cost.