Yes, I can see how publishing an email address on a website (even if it's buried in a text file with no links to it on the website) will lead to an increased risk of email abuse, especially an address related to security or support. For a personal website or even a small business this would pose a waste of time and effort if a well functioning email antispam/antiphishing tool or service isn't in place.
The contact section of a security.txt file does let you provide a list of contact means that can be used in addition to or in place of an email address. These could be phone numbers or even a URI to a web form that could be filled out, captcha validated, and submitted--allowing for more information to be gathered on first contact.
Of course, these other means of contact can be abused, too.
Other than the spam issue, what to you think about the idea of improving cybersecurity reporting and dialog within an organization or between an organization and its clients/vendors?
I manually added one on my own website, (not using Umbraco), but I'd been noticing many 404 requests for the URL in my logs, so decided to add it - for what it's worth. 🤷♂️
I'd noticed its not easy to create the .well-known directory or even place the txt file at the Umbraco-based website's root. But I'm an Umbraco noob so perhaps I need a bit more training.
Thanks for providing the link to Erik-Jan's work. I'll check that out.
I'm not a security researcher but having personally gone though the hassle of reaching out to a large organization to report a security issue with a web server being abused in a phishing campaign I believe this is an area that should be improved. It shouldn't take many dead end phone calls just to reach a person responsible for corporate cybersecurity.
I found the easiest way of creating the ".well-known" folder is by using an ftp client to create it. There are ways to do it in IIS but not that easy :) (windows doesn't like folders starting with a "."
adding a security.txt file
Has anyone added a security.txt file to their website?
No, it is an open invitation to get spammed :)
Thank you for responding!
Yes, I can see how publishing an email address on a website (even if it's buried in a text file with no links to it on the website) will lead to an increased risk of email abuse, especially an address related to security or support. For a personal website or even a small business this would pose a waste of time and effort if a well functioning email antispam/antiphishing tool or service isn't in place.
The contact section of a security.txt file does let you provide a list of contact means that can be used in addition to or in place of an email address. These could be phone numbers or even a URI to a web form that could be filled out, captcha validated, and submitted--allowing for more information to be gathered on first contact.
Of course, these other means of contact can be abused, too.
Other than the spam issue, what to you think about the idea of improving cybersecurity reporting and dialog within an organization or between an organization and its clients/vendors?
I manually added one on my own website, (not using Umbraco), but I'd been noticing many 404 requests for the URL in my logs, so decided to add it - for what it's worth. 🤷♂️
https://leekelleher.com/.well-known/security.txt
I'd opted to point to the URL to my contact page, as opposed to give out my email address directly.
In terms of Umbraco specific, I'd seen that Erik-Jan Westendorp has been working on a package, but as far as I'm aware it hasn't been released yet. https://github.com/erikjanwestendorp/Our.Umbraco.SecurityTxt
Hope some of this helps?
Cheers,
- Lee
Thanks for responding, Lee!
I'd noticed its not easy to create the .well-known directory or even place the txt file at the Umbraco-based website's root. But I'm an Umbraco noob so perhaps I need a bit more training.
Thanks for providing the link to Erik-Jan's work. I'll check that out.
I'm not a security researcher but having personally gone though the hassle of reaching out to a large organization to report a security issue with a web server being abused in a phishing campaign I believe this is an area that should be improved. It shouldn't take many dead end phone calls just to reach a person responsible for corporate cybersecurity.
I found the easiest way of creating the ".well-known" folder is by using an ftp client to create it. There are ways to do it in IIS but not that easy :) (windows doesn't like folders starting with a "."
Thank you, Huw!
You should also be able to just add in in your VS project and publish it
is working on a reply...