Security.txt

When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, some vulnerabilities are not reported. The purpose of the security.txt file format is to give security researchers the information they need to report their findings.

Magento merchants can enter their contact information for security issue reporting from the Magento Admin. For developers, the Magento_Securitytxt module provides the following functionality:

• Allows security configurations to be saved from the Admin.
• Contains a router to match application action class for requests to the .well-known/security.txt and .well-known/security.txt.sig files.
• Serves the content of the .well-known/security.txt and .well-known/security.txt.sig files.

A valid security.txt file might look like the following:

1
2
3
4
5
6
Contact: mailto:security@example.com
Contact: tel:+1-201-555-0123
Encryption: https://example.com/pgp.asc
Acknowledgement: https://example.com/security/hall-of-fame
Policy: https://example.com/security-policy.html
Signature: https://example.com/.well-known/security.txt.sig

For example, a typical security.txt file might be found at: https://example.com/.well-known/security.txt

To create the security.txt signature (security.txt.sig) file:

1
gpg -u KEYID --output security.txt.sig --armor --detach-sig security.txt

To verify the signature:

1
gpg --verify security.txt.sig security.txt