IESG calls for comment on proposed vulnerability reporting standard
Recently, the Internet Engineering Steering Group (IESG) released the final draft of the cyber vulnerability disclosure standard Security.txt, a cybersecurity policy designed to make it as easy as possible for researchers to disclose the vulnerability.
The IESG Vulnerability Disclosure Standard, which is widely watched by the security industry, will soon become the recommended vulnerability disclosure reporting standard for all websites. After entering the final comment stage, parties interested in the standard have less than a month to submit comments.
The standard proposal “A Method for Web Security Policies” aims to improve the communication channels currently used by independent security researchers to disclose web service vulnerabilities. Implementation of the standard is also very simple: organizations and site administrators need only place the standardized file Security.txt in the site-specified directory path. Security researchers can easily contact the company through this file.
The GitHub page for this standard proposal shows that the Security.txt file provides clear guidance for security researchers on how to report security issues and allows the scope of the bug bounty program to be defined. Due to the lack of clear rules and regulations, researchers often cannot timely and securely inform the organization of security breaches.