Broad support for security.txt internet standard

17 okt 2022

"Cybercrime is industrially scalable, but resilience is not yet." This is one of the key strategic themes for the Netherlands’ digital security, both today and in years to come, according to the Cyber Security Stategy Netherlands 2022 - 2028 (NLCS).

In May, the Digital Trust Center (DTC) announced that it was optimistic about the potential of security.txt as a standard. A quick survey by the DTC among public and private organisations in the field of cybersecurity regarding the utility of security.txt revealed broad support. Cybersecurity experts agree that this relatively simple measure can provide a scalable solution for sharing threat intelligence with companies that could become the victims of a cyberattack due to a vulnerability.

The importance of security.txt

Security.txt is a text file containing the contact details of the IT manager of a company or organisation. Because this file is stored in an agreed location on a web server, security researchers, ethical hackers or threat intelligence distributors such as the DTC can immediately report any security issues to the right person or department. This enables companies and organisations to take steps to prevent or limit the damage, and in turn benefits security across the whole business community.

Benefits and disadvantages

Organisations that exchange threat information also recommend the use of security.txt. The DTC has experienced first-hand that the reporting process could be made more efficient when sharing threat information with the business community.

Kim van der Veen, project leader for the DTC notification service: "Often, vulnerable IP addresses given to us by security researchers can be traced back to domain names, but the relevant contact details are harder to find. That means we waste valuable time tracking down the right email address or telephone number for the relevant IT manager. Security.txt changes all that, and it even makes it possible to warn companies automatically. That can save a lot of time in situations where time is of the essence."

Publishing email addresses in a location that is publicly accessible can lead to abuses, such as phishing or commercial spam. But cybersecurity experts agree that the risk of additional spam outweighs the risk of a missed security warning.

Recommended standard

The new internet standard is documented in RFC 9116 amd is currently being reviewed by the Standardisation Forum. This organisation will decide whether open ICT standards will become mandatory across central government. The results of the expert study are expected next spring.

The Internet Standards Platform, the organisation behind, has already been working on security.txt. A new test item for security.txt has been added to the website test on in close collaboration with the DTC. This test item checks whether the security.txt file is present and can be read.

An appeal to use security.txt

Together with a large number of ambassadors, the DTC wishes to promote the use of security.txt by companies and IT service providers. This simple security measure can significantly improve the exchange of threat information, and therefore the resilience of the Dutch business community too. Various communication tools to promote the use of security.txt are available in the security.txt Toolkit.