目前还是一项草案。
security.txt
A proposed standard which allows websites to define security policies.
非常简单,就是告诉别个,如果网站出现安全问题应该向谁报告,用什么方式报告。
例如:Facebook 的 security.txt:
Contact: https://www.facebook.com/whitehat/report/
Acknowledgments: https://www.facebook.com/whitehat/thanks/
Hiring: https://www.facebook.com/careers/teams/security/
# Found a bug? Our bug bounty policy:
Policy: https://www.facebook.com/whitehat/info/
# What we do when we find a bug in another product:
Policy: https://www.facebook.com/security/advisories/Vulnerability-Disclosure-Policy
Expires: Sun, 28 Nov 2021 12:46:26 -0800
PS: 国内外主要的大网站都试了一遍,只发现 facebook.com 下找到了 security.txt,其他网站都没有。