In case of cybersecurity problems in a company or organisation, it is very important to quickly inform the relevant security contact. Often, however, these contacts are not easy to find on websites, or are not even listed. The "security.txt" standard provides a way to publish the security contact of an organisation or company in a uniform way, thus making it quicker to find.
There is no such thing as 100% security in IT systems, and vulnerabilities are part of everyday life. Such security vulnerabilities are often discovered by security researchers, the NCSC, employees of the company or organisation concerned, and by the public, and should be reported as quickly as possible to the relevant security contact.
However, the specific contact details are often hard to find or are not published. Often, only a central telephone number or a generic email address is listed on the website. As a result, the reporting person has to ask around to find the right contact person and explain the problem multiple times. This often wastes valuable time; by the time the information reaches the person in charge, it may already be too late. It is also often the case that the information is ignored and not forwarded, and the security contact responsible for it is not informed about the vulnerability.
The ".security.txt" standard makes it possible to quickly find the responsible security contact on a company's or organisation's website. The standard requires a text file entitled "security.txt" to be saved in the predefined "/.well-known" directory on the company's or organisation's website. As a minimum, this file contains the contact details that can be used to get in touch with the relevant security contact of a company or organisation. In addition, other security-relevant information can also be stored there. The NCSC has produced a guide for organisations and companies that describes the specific procedure and provides further information.
The ".security.txt" standard can be easily implemented by a company's or organisation's IT support service and makes a significant contribution to improving security management.
A survey by the NCSC shows that several thousand websites in Switzerland have already implemented the "security.txt" standard. However, in relation to the total number of websites in Switzerland of several million, there is still room for improvement. The NCSC encourages companies, organisations and administrations in Switzerland to implement this security standard, as by doing so they will make a significant contribution to cybersecurity.
The federal administration is also working on implementing this standard. Among other things, a security.txt is already available on the website www.admin.ch: https://www.admin.ch/.well-known/security.txt.
Other federal administration websites will follow.