Looks like the Dutch government has recently mandated usage of security.txt on public service websites through their “Comply or Explain Policy”. Very cool. Having a security.txt file gives security researchers, or generally anyone on the internet, a reliable way to get in contact with you if they find a security vulnerability on your website. We’ve recommended the same thing along with having a dedicated security@ email alias on our blog post Fixing vulnerabilities and getting the occasional white hat helper.
Blog post - https://kinde.com/blog/security/fixing-vulnerabilities-and-getting-the-occasional-white-hat-helper/
SecurityTXT - https://securitytxt.org/
Dutch press - https://www.digitaltrustcenter.nl/nieuws/securitytxt-verplicht-voor-overheid
Really helpful! Thanks for the info @alexander748923
Very helpful! Also found another example in the wild: Supabase website has security.txt too
Thanks for sharing. I am also facing the same problem on my client's site. Now resolved the error after reading this articles
Do you think this should be a standard for all websites? Or just a certain type/scale of site?
its for all websites. i tested it personally on my site
@Crumb4059 I think everyone of any size. Anyone's website can have a vulnerability and you'd rather be told about it by someone friendly. Setting up a security.txt file is quick and simple. When you start getting larger or start working with more sensitive data, then you can move to bigger things like a bug bounty program.
This is really cool, and I'm going to do the same!
Thanks for sharing!
Facing same problem again
I had it a while ago on webtoapp.design. I removed it again though because I kept getting spam and since then everything is back to normal.
Reminded me on an older article also discussing the level of spam that this could cause and probably something I should have highlighted.
https://krebsonsecurity.com/2021/09/does-your-organization-have-a-security-txt-file/