Similar to robots.txt and humans.txt is a recent addition of a security.txt file. This is currently a draft proposal to provide a standardized way to define security policies for researchers. This is useful for bug bounty and disclosure programs. Government agencies were tasked to add these back in 2019, but COVID-19 likely delayed implementation and rollout.
This is usually applied in the root of a website at /.well-known/security.txt, but can also be immediately in the root at /security.txt. Personally, I put mine in /.well-known/ and put a redirect at the root to simplify maintenance.
For additional security, you can optionally sign the policy with PGP.
Details:
I did some searching around the web and found some examples (linked below):
File in the root path:
File in the preferred /.well-known path:
- https://edoverflow.com/.well-known/security.txt
- https://www.facebook.com/.well-known/security.txt
- https://bugcrowd.com/.well-known/security.txt
- https://defcon.org/.well-known/security.txt
- https://www.google.com/.well-known/security.txt
- https://www.bbc.com/.well-known/security.txt
- https://www.dropbox.com/.well-known/security.txt
- https://www.linkedin.com/.well-known/security.txt
- https://www.qualys.com/.well-known/security.txt
- https://github.com/.well-known/security.txt
- https://securitytxt.org/.well-known/security.txt
- https://haveibeenpwned.com/.well-known/security.txt
- https://www.shopify.com/.well-known/security.txt
- https://www.lego.com/.well-known/security.txt
- https://www.overstock.com/.well-known/security.txt
- https://www.kali.org/.well-known/security.txt
- https://login.gov/.well-known/security.txt
- https://www.google.com/.well-known/security.txt
Some PGP signed examples:
Questionable, though as the files are meant to be read by humans, this would meet the most simple use case: