Security.txt
When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, some vulnerabilities are not reported. The purpose of the security.txt
file format is to give security researchers the information they need to report their findings.
Magento merchants can enter their contact information for security issue reporting from the Magento Admin. For developers, the Magento_Securitytxt
module provides the following functionality:
- Allows security configurations to be saved from the Admin.
- Contains a router to match application action class for requests to the
.well-known/security.txt
and.well-known/security.txt.sig
files. - Serves the content of the
.well-known/security.txt
and.well-known/security.txt.sig
files.
A valid security.txt
file might look like the following:
1
2
3
4
5
6
Contact: mailto:security@example.com
Contact: tel:+1-201-555-0123
Encryption: https://example.com/pgp.asc
Acknowledgement: https://example.com/security/hall-of-fame
Policy: https://example.com/security-policy.html
Signature: https://example.com/.well-known/security.txt.sig
For example, a typical security.txt
file might be found at:
https://example.com/.well-known/security.txt
To create the security.txt
signature (security.txt.sig
) file:
1
gpg -u KEYID --output security.txt.sig --armor --detach-sig security.txt
To verify the signature:
1
gpg --verify security.txt.sig security.txt