A ‘security.txt’ file is hosted for each of an organisation’s internet-facing website domains to assist in the responsible disclosure of vulnerabilities in the organisation’s products and services.
Topic
Vulnerability disclosure program
Applicable to
all
History
Sep 2024
A ‘security.txt’ file is hosted for each of an organisation’s internet-facing website domains to assist in the responsible disclosure of vulnerabilities in the organisation’s products and services.
The existing control relating to the use of security.txt files in support of vulnerability disclosure programs was amended from ‘all internet-facing organisational domains’ to ‘each of an organisation’s internet-facing website domains’.
Sep 2023
A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of vulnerabilities in an organisation’s products and services.
References to ‘security vulnerabilities’ were replaced with ‘vulnerabilities’.
Mar 2022
A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of security vulnerabilities in an organisation’s products and services.
Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.
Dec 2021
A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of security vulnerabilities in organisations’ products and services.
A recommendation to host a ‘security.txt’ file for all internet-facing organisational domains has been added to assist in the responsible disclosure of security vulnerabilities to organisations in support of their vulnerability disclosure programs.