The safety contact must be detectable
When security incidents occur, it is important to quickly and immediately find the company's responsible IT contact. Often, these contacts are not stored at all. The standard "security.txt" is intended to solve this problem.
There is no such thing as one hundred percent security in IT systems, and vulnerabilities are part of everyday life. Often, however, these contacts are not easy to find on websites or are not stored at all. The standard "security.txt" provides a possibility to publish the security contact of an organization or company in a uniform way and thus to find it more quickly.
The standard specifies that a text file with the name "security.txt" is saved in the predefined directory "/.well-known" on the website of the company or organization. This file contains at least the contact data that can be used to get in touch with the responsible security contact of a company or organization. In addition, other security-relevant information can also be stored there.
According to the National Cyber Security Center (NCSC), the "security.txt" standard is technically easy to implement by the IT support of the company or organization and contributes significantly to improving security management. A survey by the NCSC showed that several thousand websites in Switzerland have already implemented the "security.txt" standard, it said. In relation to the total number of websites in Switzerland of several million, however, there is still "room for improvement".
The NCSC has a Guide for organizations and companies, which describes the exact procedure and provides further information.
Source: NCSC