security.txt (RFC 9116)

🚨 BREAKING 🚨 Our @securitytxt 2024 version is updated containing a new CTF-like challenge. Check it out now: swisscom.ch/.well-known/se…

This is probably the best public Vulnerability Disclosure Program terms I've ever seen. It demonstrates the exact nature of a VDP, "see something, say something" no more, no less. +10 for hosting a @securitytxt file too. Nice work @ServiceNow 👏

🇯🇵

Looking for a little project to keep you busy on the weekend? I was just thinking: how many of the breached websites in @haveibeenpwned now have a security.txt file? So, if you feel like grabbing those domains and querying them all, there's an API here: #AllBreaches" target="_blank" rel="nofollow noopener">haveibeenpwned.com/API/v3#AllBrea…

Switzerland's largest retail company @migros published their vulnerability disclosure policy via @securitytxt 🥳

This is great: having a security.txt file is now mandatory for Dutch government websites. They either need to apply this as a standard or provide a good justification for why they're not using it ("Apply of Explain") digitaltrustcenter.nl/nieuws/securit…

security.txt 📑 has been added to the 'Comply or Explain' list of the Netherlands Standardisation Forum. This means that Dutch municipalities, provinces, the state, water boards and all operational organisations are obliged to apply this open standard.✅forumstandaardisatie.nl/nieuws/securit…

@HttpSecHeaders @CISAgov Awesome to see this! Unfortunately, the incorrect RFC ID was referenced. It should be RFC 9116. :(

@securitytxt nice recommendation for security.txt in this @CISAgov advisory cisa.gov/news-events/cy…

Bridge the gap between your website and security researchers. ✅ Implement security.txt and promote coordinated vulnerability disclosure. Need help getting started? ➡️ Head on over to securitytxt.org. #securitytxt #cybersecurity

That needed an update. 👀

Can you spare an hour to help us improve rfc-editor.org (the official home of RFCs)? If you’ve used RFCs for work, school or research, we’d love to learn from you - particularly if you're new here! Volunteer by answering a few quick questions: docs.google.com/forms/d/e/1FAI…

A tale of Google dorks finding subdomain takeovers plus why having a security.txt & a responsive security team are good news all round. London Councils & pirate books. Google dorking for subdomain takeovers. Thanks to our @OPSEC_failed pentestpartners.com/security-blog/… #cybersecuritytips

Check out the just released fresh version of Internet.nl with improved tests for CSP and security.txt, en.internet.nl/article/releas… Happy testing and improving! #moderninternet

@oh2fih also wrote a Bash helper script to generate RFC 9116-compliant security.txt files. github.com/oh2fih/securit…

🇫🇮 Shout-out to @oh2fih who wrote their Master's thesis on security.txt adoption on .fi domains. theseus.fi/handle/10024/7…

Where did you first hear about security.txt?

@Jester0x01 @rez0__ @OpenAI Now on the main website too: openai.com/security.txt. :)

@Jester0x01 @rez0__ @OpenAI cdn.openai.com/security.txt

This morning I was hacking the new ChatGPT API and found something super interesting: there are over 80 secret plugins that can be revealed by removing a specific parameter from an API call. The secret plugins include a "DAN plugin", "Crypto Prices Plugin", and many more.