When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, some vulnerabilities are not reported. The purpose of the
security.txt file format is to give security researchers the information they need to report their findings.
Magento merchants can enter their contact information for security issue reporting from the Magento Admin. For developers, the
Magento_Securitytxt module provides the following functionality:
- Allows security configurations to be saved from the Admin.
- Contains a router to match application action class for requests to the
- Serves the content of the
security.txt file might look like the following:
1 2 3 4 5 6 Contact: mailto:firstname.lastname@example.org Contact: tel:+1-201-555-0123 Encryption: https://example.com/pgp.asc Acknowledgement: https://example.com/security/hall-of-fame Policy: https://example.com/security-policy.html Signature: https://example.com/.well-known/security.txt.sig
For example, a typical
security.txt file might be found at:
To create the
security.txt signature (
1 gpg -u KEYID --output security.txt.sig --armor --detach-sig security.txt
To verify the signature:
1 gpg --verify security.txt.sig security.txt