Internet.nl adds test for security.txt
What is your contact point for security vulnerabilities?
At any time, security researchers (also known as benevolent or ethical hackers) may find digital vulnerabilities in your website or IT systems. Of course, you want to be informed as fast as possible when such a discovery is made, so you can respond quickly and fix the leak. Unfortunately, it is often unclear where a security researcher can report a found vulnerability. This means valuable time may be lost in finding and reaching the right department or person within an organisation. The well-intentioned message may not even reach anyone at all.
Faster warnings with security.txt
Since malicious parties can also detect these vulnerabilities, no avoidable time should be lost in alerting affected organisations. The Digital Trust Center (DTC) regularly experiences that this speed is important when alerting Dutch companies. Security.txt can help. By making contact information available through security.txt as an organisation, security researchers can immediately alert the right person or department. The DTC therefore recommends that every company publishes a security.txt file and keeps it up to date.
Internet.nl test on security.txt
The new test for security.txt in Internet.nl is intended as a tool for companies and other organisations. The test checks whether the security.txt file is present on the domain name and whether the information included has the correct format.
Gerben Klein Baltink, chair Internet Standards Platform:
"Together with the DTC, we worked to ensure that Internet.nl now also tests for security.txt. By simply adding this standardised format to your web domain, it has become easier for "helping hackers" to find the right contacts if they find a vulnerability with you. I therefore warmly encourage organisations to publish a security.txt file and check via Internet.nl whether this has been done correctly. This is how we keep the Internet open, free and secure together!"
For now, the security.txt standard within Internet.nl has the recommended status. The results of the security.txt test do not yet weigh into the overall test result score. Later this year, the security.txt test will also be added to Internet.nl's API and dashboard. The Netherlands Standardisation Forum is currently reviewing whether the security.txt standard is suitable to become mandatory for the government via inclusion on the 'comply or explain' list.
Want to know more?
Does your company or organisation already have a security.txt file? Enter your website URL at Internet.nl and you'll know within seconds. Wondering how to easily create your own security.txt file? Then read more about security.txt on the DTC website (in Dutch).
The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the Internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The software code of Internet.nl is available under an open source license.
Release notes 1.6.0
- Add security.txt support. For all IPs of web servers, this looks for the existence and validity of a RFC9116 security.txt file.
Upgrading to 1.6 from 1.5.x
See the change overview for the steps to upgrade if you have your own deployment of the internet.nl codebase.