Hello, As has been noted, the US Cyber and Infrastructure Security Agency recently published a directive in public draft[1] which will instruct executive branch agencies to use security.txt. I am the lead author of the directive, and I'm emailing to offer a note in support of this draft. One of our goals in this directive is to minimize the time between discovery of a potential vulnerability and the receipt of a report about that vulnerability by someone who manages the system in question. We intend to support this goal by enhancing the discoverability (...external to government and internal to it) of an agency's vulnerability disclosure policy and appropriate contacts. CISA could choose to define something for our own purposes – similar things happen in the US Government's online space[2] – but security.txt has the helpful properties of existing and seeing a fair amount of adoption[3] in the last few years. I'd rather we contribute to an existing approach than dream up our own, and see that approach improved, normalized, and standardized. In short, I think security.txt is a useful idea and it helps solve a problem I have. [1]: https://cyber.dhs.gov/bod/20-01/ [2]: US federal agencies are subject to rules which require the placement of online content in a particular place so it can be harvested: data (https://resources.data.gov/tools/how-to-get-your-open-data-on-datagov/#federal-data-with-project-open-data); code (https://code.gov/about/compliance/inventory-code). [3]: https://crawler.ninja/files/security-txt-sites.txt - - - - Cameron -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
