Have you heard of RFC 9116? If not, I understand. I don’t really know anything by RFC numbering and that is ok. RFC 9116 is a document put out by the Internet Engineering Task Force (IETF) related to vulnerability disclosure. It is important to note that this is not a standard, but for informational purposes only.
So what does it do? The focus of this document is on the security.txt file and the format of it. Security.txt is a simple text file that helps an organization describe their vulnerability disclosure procedures. Imagine you are a security tester and find a vulnerability on a website, in theory, you would check for this security.txt file and it would give a clear description on how to report it and who to report it to.
Where do you find security.txt? In order to make sure it is easily accessible, it is recommended to place this file in the .well-known directory. Having a common location makes it simple for anyone to locate it, as long as they are aware of it in the first place.
Do i need a bug bounty program for this? Not at all. Vulnerability disclosure and bug bounties are different programs. Even if you are not offering rewards for reported bugs, it is still a recommended practice to have a disclosure process in place to allow users to share vulnerabilities with you.
Links
RFC9116 – https://www.rfc-editor.org/rfc/rfc9116
DevelopSec Blog – https://www.developsec.com/2018/06/26/overview-of-web-security-policies/
DevelopSec Podcast – https://developsec.libsyn.com/ep-102-intro-to-web-security-policies
Securitytxt.org – https://securitytxt.org/