A Security.txt alone is not enough


Lennert Hut

Online Marketer

In recent weeks, the national government has invested heavily in a campaign about Security.txt. Maybe you've seen it, but haven't dug into it yet. Read on, because we will immediately tell you what is not being said about the security of your network. 

What is Security.txt?

The file type is probably familiar to you. It is nothing more than a simple text file without formatting. But it's about the content. Security.txt shows, among other things, the contact details of the persons responsible for the IT security of the website. In this form, the file can be read by both man and machine. The file can be created and placed on your website.

Who is Security.txt for?

We limit ourselves to people: especially for ethical hackers. If they discover a leak in the site, a so-called security vulnerability, they are often willing to report it. But so far that has often been a hell of a job. Where do you report such a thing? Every website has its own addresses. Ethical hackers often got caught up in a jungle of e-mail addresses, contact pages or social media accounts. Experience shows that generic addresses such as were not managed very faithfully.

And since ethical hackers are doing website owners a favor, you want to make it as easy as possible for them. Then you don't want to spend a lot of time searching. Because in the end, a reporter will leave it at that and your website will continue to leak.

Gone are the days when we could leave these kinds of notifications on the shelf. Or even worse: that they disappear into thin air. All of us really spend too much time and money on attacks such as ransomware, spam and hacking. On average, an attack now costs about 5 million euros, according to our calculations Solution PartnerIBM. So to be clear: that is per company. And those costs increase annually by about 15%.

A report about a vulnerability is therefore invaluable. And so you want to make it as easy as possible for a reporter. That reporter must therefore be able to go to a general counter for IT Security matters that can be found immediately. That counter is called Security.txt and is part of your website.

Where can I find Security.txt?

There have been general worldwide rules for this since April 2022. We have all agreed that Security.txt can be found online for everyone in /.well-known/security.txt on a website. So for our website that is .

Suppose I get a message. What then?

That is the question that is often missing from the Security.txt story. Because communicating the correct address about a leak is only the beginning. It's about solving. For that you need to know what is meant. And of course how it is solved. You can get a message about the missing security headers, but not everyone knows what's going on. Do you get a notification via the Security.txt? We do not just solve it, but immediately take the entire environment with us.

Why is that necessary?

Because such a notification via Security.txt usually points to shortcomings in more places. With a Security Scan we look at all possible ways to enter your network. The weakest spot is the first entry point for an attacker. Attackers are looking for that entrance 24 hours a day.

Are you curious if they will come in? Make an appointment and we will tell you within 1 day of the start, with a Security Scan from Pentera ASV. 

As a Marketer at Aumatics, I keep track of trends and developments in the field of IT Security and IT services. Like my colleagues at Aumatics, I like to share them with you, so that you work more safely and easily, wherever you are.

Lennert Hut

Online Marketer