Why is having a Security.txt so important and how can you create one?
Last week, during SECCON NL 2022, Zerocopter and the Digital Trust Center did a presentation together on “ Improving business security by implementing Security.txt”. Why is it important to have a Security.txt and what do you need to do in order to create one?
First of all, for those who are not familiar with the Digital Trust Center, it was set up in 2018 by the Dutch Ministry of Economic Affairs and Climate to secure digital businesses. They are focusing on providing companies with reliable and independent information and concrete advice when it comes to digital vulnerabilities. They are also encouraging cybersecurity partnerships between companies and organisations for different purposes, for example, this one.
So, why did Zerocopter and DTC approach this subject? Why is having a Security.txt so important for the safety of the digital environment?
Because one thing is for sure - it helps share cyber threat information by providing specific information about the relevance, risk, and impact of a vulnerability. And there are so many great examples, such as Log4J, Revil, ProxyShell, and many more, where businesses were notified of a vulnerability via security.txt.
Of course, there are some downsides to using this file format, such as that sometimes it can be quite hard to reach the right person within the organisation in time. There are some alternatives to using security.txt, and the best example would be implementing a Coordinated Vulnerability policy.
But we still think that having also a Security.txt should be mandatory for every business that has any online assets. That is why, our Security Researcher, Maarten Boone, together with our team, created a tool called Security.txt Wizard. This tool is able to help you create a security.txt file in a couple of minutes. You only need a security contact email address and a GDP/PGP Key and then you can leave the wizard to work its magic. You can also add your CVD policy, job openings, acknowledgments, and its validity in there too.
The result? A signed Security.txt and a PGP/GPG public key that you can implement right after! You can access the wizard by scanning the QR Code below or accessing this link.
While working on this tool, we once again realised how big the power of collaboration is. We cannot stress enough how important it is to work together, especially in this industry. Great things can be accomplished when more people, from different backgrounds and with different skill sets, come together for the greater good. Because in the end, we all have the same goal - to make the digital world a better and safer place.
If you would like to discuss this topic or other topics, you can join the DTC Community here!