William Findlay (Carleton University) and AbdelRahman Abdou (Carleton University)

While security researchers are adept at discovering vulnerabilities and measuring their impact, disclosing vulnerabilities to affected stakeholders has traditionally been difficult. Beyond public notices such as CVEs, there have traditionally been few appropriate channels through which to directly communicate the nature and scope of a vulnerability to those directly impacted by it. Security.txt is a relatively new proposed standard that hopes to change this by defining a canonical file format and URI through which organizations can provide contact information for vulnerability disclosure. However, despite its favourable characteristics, limited studies have systematically analyzed how effective Security.txt might be for a widespread vulnerability notification campaign. In this paper, we present a large-scale study of Security.txt’s adoption over the top 1M popular domains according to the Tranco list. We measure specific features of Security.txt files such as contact information, preferred language, and RFC version compliance. We then analyze these results to better understand how suitable the current Security.txt standard is for facilitating a large-scale vulnerability notification campaign, and make recommendations for improving future version of the standard.

View More Papers

COOPER: Testing the Binding Code of Scripting Languages with...

Peng Xu (TCA/SKLCS, Institute of Software, Chinese Academy of Sciences; University of Chinese Academy of Sciences), Yanhao Wang (QI-ANXIN Technology Research Institute), Hong Hu (Pennsylvania State University), Purui Su (TCA/SKLCS, Institute of Software, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences)

Read More

ProvTalk: Towards Interpretable Multi-level Provenance Analysis in Networking Functions...

Azadeh Tabiban (CIISE, Concordia University, Montreal, QC, Canada), Heyang Zhao (CIISE, Concordia University, Montreal, QC, Canada), Yosr Jarraya (Ericsson Security Research, Ericsson Canada, Montreal, QC, Canada), Makan Pourzandi (Ericsson Security Research, Ericsson Canada, Montreal, QC, Canada), Mengyuan Zhang (Department of Computing, The Hong Kong Polytechnic University, China), Lingyu Wang (CIISE, Concordia University, Montreal, QC, Canada)

Read More

DRAWN APART: A Device Identification Technique based on Remote...

Tomer Laor (Ben-Gurion Univ. of the Negev), Naif Mehanna (Univ. Lille, CNRS, Inria), Antonin Durey (Univ. Lille, CNRS, Inria), Vitaly Dyadyuk (Ben-Gurion Univ. of the Negev), Pierre Laperdrix (Univ. Lille, CNRS, Inria), Clémentine Maurice (Univ. Lille, CNRS, Inria), Yossi Oren (Ben-Gurion Univ. of the Negev), Romain Rouvoy (Univ. Lille, CNRS, Inria / IUF), Walter Rudametkin…

Read More