Security Tip: Publish a security.txt!
[Tip#9] security.txt is a simple way to share your security contacts to make vulnerability reporting easier.
The security.txt file is a new standard for defining the security policies of a website. It lives in the `/.well-known/` subdirectory and should be a publicly readable text file. The goal of a security.txt file is to make it simple for anyone wishing to report a security concern to get in contact with the right person quickly, without needing to dig through subpages and support docs to find the right email, or having to convince a support rep about an issue and jump through support hoops.
The best place to get started is: https://securitytxt.org/
There you will find a wizard to help you build your own security.txt file. Once you have the file, simply upload it to your site as: `/.well-known/security.txt`.
For example, this is the `security.txt` file on my site:
https://stephenreescarter.net/.well-known/security.txt
Contact: mailto:stephen@rees-carter.net
Contact: https://twitter.com/valorin
Expires: 2024-09-14T14:00:00.000Z
Encryption: https://keybase.io/valorin
Encryption: https://stephenreescarter.net/pgp-key.txt
Preferred-Languages: enAnd the one on google.com:
Contact: https://g.co/vulnz
Contact: mailto:security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgements: https://bughunters.google.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobsContact: https://hackerone.com/amazonvrp/reports/new
Hiring: https://www.amazon.jobs/en/teams/infosec
# Bug Bounty Policy:
Policy: https://hackerone.com/amazonvrp
# For vulnerabilities related to Amazon Web Services (AWS):
https://aws.amazon.com/security/vulnerability-reporting/If you want to keep digging into more examples, Scott Helme maintains a list of sites in the Top 1 Million Sites which have a security.txt file: https://crawler.ninja/files/security-txt-sites.txt
⚠️ Want me to hack into your app and tell you how I did it, so you can fix it before someone else finds it? Book in a Laravel Security Audit and Penetration Test! 🕵️
👉 Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code! 🕵️