The Digital Trust Center (DTC) is in favour of designating the Security.txt protocol as the new standard for reporting security vulnerabilities. According to the agency, the protocol can contribute to increasing the digital resilience of companies. There are some drawbacks to the protocol, but these do not outweigh the benefits that can be gained from it.
The DTC writes this in a press statement.
Reporting vulnerabilities is very important
Cyber attacks and other digital threats today have an increasing impact on our society. An attack on, for example, an energy company or internet service provider can seriously disrupt society. The police receive about 200 reports of ransomware attacks every year, Minister of Justice and Security Dilan Yesilgöz-Zegerius recently wrote in a letter to the House of Representatives. Due to the social impact of attacks with ransomware, the minister is a strong advocate of cracking down on hackers.
Even if a cyber attack does not have major consequences for society, companies will benefit from increasing their digital resilience. Businesses and organizations benefit from being notified of a Web server vulnerability. Or a configuration error in their network and information systems that allows abuse.
Security researchers use tools to detect such vulnerabilities. However, they often do not know where to report them. As a result, such relevant information does not reach the stakeholders. This is not without risk: after all, hackers use the same techniques to detect security problems. And to abuse.
‘Making entrepreneurial Netherlands more resilient’
Since 2017, the Internet Engineering Task Force (IETF) has been working on a standard to efficiently report security vulnerabilities. After five years of thinking and discussing with the community, ‘Security.txt’ is the end result. This is a file with which companies, government bodies, organizations and agencies can report for dealing with security vulnerabilities.
The DTC is positive about the proposed standard. “After all, the DTC stands for making the enterprising Netherlands more resilient and this Security.txt protocol that is relatively easy to implement can make a positive contribution to this. Vulnerability reporting will become easier and likely to happen more often. This allows companies to take their measures and increase their digital resilience,” the agency writes in a press release.
Benefits of Security.txt
According to the DTC, one of the advantages is that Security.txt provides “significant time savings”. “Now we sometimes lose valuable time because we have to look for contact details in the lists of IP addresses. By including contact details in the Security.txt file, the DTC reaches the vulnerable companies faster and a company can start earlier with damage-limiting measures,” said Kim van der Veen, project leader at the DTC.
She also emphasizes that Security.txt could become part of cyber hygiene. “After all, it improves your resilience against cyber attacks because you are more quickly aware of security vulnerabilities discovered by cyber researchers,” says Van der Veen. Security.txt is also a security measure that can be implemented quickly, easily and without high costs.
Disadvantages do not outweigh the advantages
The DTC recognizes that there are risks associated with the Security.txt protocol. For example, the document contains contact details of companies and organizations that want to receive notifications about vulnerabilities. Hackers and cybercriminals could misuse this data for malicious purposes, such as spam or phishing. Another realistic scenario is that cybercriminals disguise a phishing email as a vulnerability report when they send it to the contact address of Security.txt.
The DTC emphasizes that you also run these risks if you publish a contact page with an email address. Or if you provide an abuse address in your responsible disclosure page. However, according to the developers of Security.txt, these disadvantages do not outweigh the advantages. To minimize the risk of spam or phishing, it is wise to agree on who within an organization is responsible for assessing reports and taking measures.
In the coming period, the DTC will enter into discussions with entrepreneurs and IT service providers to increase awareness of the security standard. “A targeted campaign may be able to help with this,” thinks Van der Veen.
Catch up on more articles here
Follow us on Twitter here